Fix LinkedIn Ops Console auth/sync readiness flow

[Chkhikvadze]

Problem

The ops console looked "ready" while showing 0 conversations, and the bearer-token field made LinkedIn auth look like the blocker even when local API auth was off.

Root cause

The UI only exposed a dry-run sync path and unclear token copy. The backend ops contract also had no /ops/sync/run endpoint for the console to perform a confirmed read-only LinkedIn sync. Live validation also exposed a provider edge case where /voyager/api/me can return numeric plainId, causing the backend thread-list path to crash instead of surfacing an actionable auth/session error.

Fix

• Added POST /ops/sync/run with explicit confirm_external_read=true, read-only sync execution, runtime header support, redacted audit evidence, and zero external writes.
• Added a visible Sync now console action plus clearer next-step state for empty inboxes.
• Clarified that bearer token is local API auth only, not LinkedIn login.
• Improved the empty state to tell the operator exactly how to populate Inbox/Search.
• Normalized numeric LinkedIn profile IDs to strings and returned redacted JSON errors for ops sync failures instead of 500s.

Validation

• uv run pytest tests/test_ops_api.py tests/test_list_threads.py -q → 74 passed
• uv run pytest -q → 441 passed
• Local service restarted at http://100.113.216.73:8899; /ops/status healthy and auth_required=false
• Live /ops/sync/run now returns a redacted actionable 401 session-refresh error instead of crashing

Known gaps / blockers

• I did not print or expose LinkedIn cookies/session material.
• Live inbox population is still blocked by expired/redirected LinkedIn session cookies: POST /accounts/refresh or Chrome extension refresh is required before real conversations can sync.

Production expectation

Target branch is main. This should be reviewed/merged before calling the ops console operator-ready; main/production landing still requires Giga approval.