feat: add credential profiles for secrets manager integration

[codyfrisch]

Closes #159

Summary

• Add named credential profiles to .mappsrc that execute shell commands to fetch tokens at runtime, keeping plaintext tokens off disk
• Add mapps profile interactive command and profile:add, profile:remove, profile:list, profile:set-default, profile:clear-default, profile:remove-token subcommands
• Add global --profile and --ignore-profiles flags to all commands
• Profiles are global-config only — local project .mappsrc profiles are ignored with a warning to prevent command injection from malicious repositories
• 35 unit tests covering ConfigService profile resolution, profile subcommands, and authenticated command auth flow

This is fully backwards compatible — existing .mappsrc files and the plaintext mapps init workflow continue to work unchanged. The goal is not to remove the plaintext option, but to ensure developers have a secure alternative available so that storing credentials on disk becomes an informed choice rather than the only path offered by the tool.

Note: this also includes the env var precedence fix from #156 — pre-existing MONDAY_CODE_ACCESS_TOKEN env vars are no longer overwritten by .mappsrc config values. This is needed for correctness when profiles coexist with externally set tokens (e.g. CI). If #156 merges first, the conflict on setConfigDataInProcessEnv will be trivial to resolve.

Config format

{
  "profiles": {
    "dev": "op read 'op://vault/dev/credential'",
    "prod": "echo PROD_TOKEN_HERE"
  },
  "defaultProfile": "dev"
}

Test plan

• mapps profile:add --name dev --command "echo token" --set-as-default writes correct config
• mapps profile:list displays profiles with default indicator
• mapps profile:remove --name dev removes profile and clears default if it was the default
• mapps profile:set-default --name prod updates defaultProfile
• mapps profile:clear-default removes defaultProfile
• mapps profile:remove-token removes legacy plaintext accessToken
• mapps profile interactive flow works for add/remove/set-default/clear-default/list
• mapps code:push --profile prod resolves the named profile at runtime
• mapps code:push --ignore-profiles skips profile resolution
• Profile command failure aborts with actionable error message
• Missing profile name aborts with available profiles listed
• No default set + no --profile flag prompts for profile selection interactively
• Externally set env var (CI) skips profile prompt and uses the env var
• First-run auth flow offers choice between profile and plaintext, then continues original command
• Local .mappsrc with profiles triggers warning and profiles are ignored
• No command ID (oclif tooling, help) skips profile resolution
• 35 unit tests pass (16 ConfigService + 16 profile subcommands + 3 authenticated command)

[codyfrisch]

Yes I had a few amendments after the fact. Found more edge cases in the interactivity that needed to be corrected and I thought I was done more than a few times. Also added bidirectional comments around a bug out of scope and my workaround.

[codyfrisch]

Withdrawing pending a security mitigation for CVE-2025-69262. Profile command strings that contain env var references (e.g. $VAR, ${VAR}) could be used as an exfiltration vector — similar to the pnpm tokenHelper attack. Need to validate and reject such references before executing profile commands. Will reopen once that's in place.