Extract proxy auth into a token.Source abstraction

[samcm]

Token handling was split across two packages and implemented twice — the interactive grant in pkg/auth/{client,store}, and a separate in-memory client_credentials cache plus mode-branching and a mode-specific 401 retry living inside the proxy client. This introduces pkg/auth/token with one Source interface (Token/Invalidate) and a NewSource factory that owns the grant decision and builds the OAuth client + credential store, so the proxy resolves only its issuer and holds an opaque Source — the ccTokens cache, usesClientCredentials branching, and clientCredentialsToken all leave pkg/proxy. It also refreshes the access token proactively at 50% of its lifetime (shared client.ShouldRefresh policy, a one-line change to flip to 75%) rather than waiting for the 5-minute expiry buffer, and adds a uniform invalidate-and-retry-once on 401/403 across every server-to-proxy request path (ClickHouseQuery, Discover, the server-side query funnel, and the embedder), replacing the client_credentials-only retry so a server-side token revocation self-heals regardless of grant.

proxy.Service gains an Invalidate() method (used by the retry), which required a one-line addition to the existing proxy implementations and test fakes.

[github-actions]

🐼 Smoke eval — da84747: ✅ 6/6 pass

📊 Interactive report — tokens p50 13,844 · tokens/solve 13,930.

Reference points: v0.33.0 100% · refactor-auth-tokensource@d822db0 100% · master@e46fe2b 100%.

question	result	tokens	tools
forky_node_coverage	✅	12,415	3
tracoor_node_coverage	✅	13,117	4
mainnet_block_arrival_p50	✅	17,338	12
list_datasources	✅	11,395	1
block_count_24h	✅	14,571	8
missed_slots_24h	✅	14,741	6

🔭 Langfuse traces (6 runs; ⚠️ = failed)

• forky_node_coverage
• tracoor_node_coverage
• mainnet_block_arrival_p50
• list_datasources
• block_count_24h
• missed_slots_24h

_{The report walks this branch's commits against the master baseline and the most recent release. A self-contained copy is in the run's eval-smoke-* artifact.}