core oauth rotation

[jroth1111]

Context: #5748.

Summary

This PR bundles the auth v2 work (credential vault + multi-account store + same-request rotation) with the TUI credential manager/rotation stats, opt-in model discovery, and the updated RFC docs.

If it's easier to review in smaller chunks, the same work is also split across:

• auth v2 core #5742 (auth v2 core)
• auth v2 credential ui #5743 (TUI credential manager + rotation stats)
• auth v2 model discovery #5744 (model discovery)
• auth v2 vault cli #5745 (vault key CLI)

Highlights

• Encrypted credential vault (AES-256-GCM) + migration to a multi-record store.
• Fetch-level rotation/refresh engine (429 rotation, 401/403 refresh where supported).
• TUI dialogs to manage credentials and view rotation stats.
• Optional model discovery for OpenAI-compatible providers.
• RFC: specs/provider-auth-v2.md

Testing

• bun test packages/opencode/test/credentials
• bun test packages/opencode/test/inference/rotating-fetch.test.ts

[jroth1111]

FYI: this is meant as a useful optional improvement, not a demand to take a large refactor.

Value prop (if it's aligned): encrypted-at-rest credentials + multi-account subscription pools, and a fetch-level rotation/refresh engine that reduces user-visible failures on 429/expired sessions.

If it's not the direction you want, totally fine to close — I opened #5748 to discuss and can re-scope/split further based on your preferences.

[jroth1111]

Superseded by #5754 (focused multi-account OAuth subscription failover using Bun.secrets). Closing to reduce noise; happy to reopen if you want the broader scope.