feat: store auth tokens in OS credential storage

[gnapse]

Summary

• Store auth tokens in OS-native secure storage via @napi-rs/keyring.
• Keep TWIST_API_TOKEN as the highest-priority auth source.
• Automatically migrate legacy plaintext token values from config into secure storage while preserving other config fields.
• Fall back to plaintext config storage with an explicit warning when the system credential store is unavailable.

User-facing updates

• Update auth login, auth token, and auth logout messaging to stop claiming tokens are always stored in the config file.
• Document secure storage, migration, fallback behavior, and env-var precedence in the README and installed skill content.

Test plan

First build the CLI in this branch:

npm run build

Then try the auth commands:

node dist/index.js auth status

# if you're signed in, the above command should've already migrated to secure store
# the config file should either not exist, or have other config but not the token anymore
cat ~/.config/twist-cli/config.json

Optional: try signing out and signing back in:

node dist/index.js auth logout
node dist/index.js auth login

# and run auth status again
node dist/index.js auth status

[doistbot-app]

This PR introduces OS-native secure storage for authentication tokens using @napi-rs/keyring, complete with an automatic migration path from legacy plaintext configurations. This is a great enhancement that significantly improves the security of stored credentials while maintaining a seamless user experience. However, there are a couple of edge cases during transient credential manager failures where fallback operations in saving or clearing the token might leave stale secure credentials active once the system recovers.

_{Share Feedback • Review Logs}

[github-actions]

🎉 This PR is included in version 2.10.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀