feat(providers): add credential refresh foundation

[johntmyers]

Summary

Adds the first provider credential refresh foundation slice for #1306. This PR wires refresh metadata through profiles, providers, gateway APIs, provider environment resolution, and sandbox placeholder resolution without enabling a gateway token-minting worker yet.

Related Issue

Refs #1306

Changes

• Adds provider profile credential refresh metadata and provider credential expiry fields to the proto model.
• Adds refresh status/configure/rotate RPCs and CLI commands:
  • openshell provider refresh-status NAME [--credential-key KEY]
  • openshell provider refresh-config NAME --credential-key KEY --strategy STRATEGY --material KEY=VALUE --secret-material-key KEY --credential-expires-at TIMESTAMP_MS
  • openshell provider rotate NAME --credential-key KEY
  • openshell provider update NAME --credential-expires-at KEY=TIMESTAMP_MS
• Stores provider refresh runtime state as scoped objects in the existing objects table using scope = provider_id.
• Expires credentials in gateway provider env resolution and carries expiry metadata to sandbox credential snapshots.
• Makes sandbox placeholder resolution fail closed for expired retained provider credential generations.
• Documents the user-facing commands and gateway refresh-state storage behavior.

UX Changes

Static credential flows continue to work. Users can now annotate provider credentials with expiration timestamps:

openshell provider update github-work \
  --credential-expires-at GITHUB_TOKEN=1767225600000

Users can configure and inspect gateway-owned refresh metadata for a provider credential:

openshell provider refresh-config microsoft-work \
  --credential-key MS_GRAPH_ACCESS_TOKEN \
  --strategy oauth2-client-credentials \
  --material tenant_id=example-tenant \
  --secret-material-key client_secret \
  --credential-expires-at 1767225600000

openshell provider refresh-status microsoft-work --credential-key MS_GRAPH_ACCESS_TOKEN

openshell provider rotate records a refresh request/status today, but token minting is intentionally not implemented in this first slice.

Current Behavior

• The current provider credential value remains the injectable source of truth.
• Expired credentials are skipped by gateway provider environment resolution.
• Existing sandbox placeholder resolution rejects expired retained credential generations.
• Refresh material/status is persisted, but no background refresh worker mints new access tokens yet.

Testing

• RUSTC_WRAPPER= cargo check -p openshell-server -p openshell-sandbox -p openshell-providers -p openshell-cli
• RUSTC_WRAPPER= cargo test -p openshell-server -p openshell-sandbox -p openshell-providers -p openshell-cli --no-run
• RUSTC_WRAPPER= cargo test -p openshell-providers profile_refresh_metadata_round_trips_through_proto_and_yaml
• RUSTC_WRAPPER= cargo test -p openshell-sandbox expired_retained_generation_does_not_resolve
• RUSTC_WRAPPER= cargo test -p openshell-cli provider_update_accepts_credential_expiry
• RUSTC_WRAPPER= cargo test -p openshell-server resolve_provider_env_skips_expired_credentials_and_returns_expiry_metadata
• RUSTC_WRAPPER= cargo test -p openshell-server -p openshell-sandbox -p openshell-providers -p openshell-cli provider_refresh -- --nocapture
• mise run pre-commit

Checklist

• Tests pass locally
• Documentation updated for user-facing behavior
• No secrets or credentials committed

[copy-pr-bot]

Auto-sync is disabled for draft pull requests in this repository. Workflows must be run manually.

Contributors can view more details about this message here.

[github-actions]

🌿 Preview your docs: https://nvidia-preview-pr-1349.docs.buildwithfern.com/openshell