feat(pm-wizard): add provider-owned credential metadata

[aaight]

Summary

Adds provider-owned auth and credential persistence metadata to the frontend PM wizard definition path. This is a compatibility-first foundation: existing save and verification call paths remain unchanged, while metadata-backed helpers and tests prove the contract for the next refactor.

Card: https://trello.com/c/6a003177cc0f09c06dca1b2e

Changes

• Extends ProviderWizardDefinition with typed auth metadata for raw credentials and stored project credential fallback.
• Extends ProviderWizardDefinition with typed normal credential persistence metadata.
• Declares Trello auth/persistence metadata for api_key + token and TRELLO_API_KEY + TRELLO_TOKEN.
• Declares JIRA auth metadata for email, api_token, and base_url, while persisting only JIRA_EMAIL and JIRA_API_TOKEN.
• Declares Linear auth/persistence metadata for api_key and LINEAR_API_KEY; webhook secret persistence remains managed by the Linear webhook step.
• Adds metadata-backed auth payload tests covering stored credential fallback, raw credential payloads, missing credential errors, and provider metadata completeness.

Verification

• npx vitest run --project unit-core tests/unit/web/pm-wizard-hooks.test.ts tests/unit/web/pm-provider-registry.test.ts tests/unit/web/pm-wizard-generic-renderer.test.ts
• npm run typecheck
• npm run lint:fix
• npm run lint
• env -u CASCADE_ORG_ID npm test

Note: plain npm test initially failed because this agent environment exports CASCADE_ORG_ID=mongrel, which leaks into tests/unit/cli/dashboard/config.test.ts; rerunning with that env var unset passed all unit tests.

🕵️ codex · gpt-5.5 · run details

[nhopeatall]

LGTM - the provider-owned metadata matches the existing auth and persistence contracts, the current call paths remain compatibility-safe, and CI is green.

🕵️ codex · gpt-5.5 · run details