Auto-migrate legacy credentials.enc to per-account format and remove fallback paths

[jpoehnelt]

Problem

The multi-account auth system (PR #85) introduced per-account credential files (credentials.<b64-email>.enc) but kept a fallback to the legacy credentials.enc path. This dual-path creates bugs:

• handle_export() only reads legacy path (auth export doesn't export credentials #179)
• Login without --account saves as "(unknown)" (gws auth login in a loop? #187)
• Scope-bound credentials (PR fix: store granted scopes in credentials, warn on scope escalation via export #202) cannot work with the legacy format
• Every auth feature/fix must handle both formats

Proposal

In the next minor release, auto-migrate legacy credentials on startup:

1. If credentials.enc exists and no per-account files exist:
   • Decrypt the legacy file
   • Extract email from the refresh token (via tokeninfo or stored metadata)
   • Re-save as credentials.<b64-email>.enc
   • Register the account in accounts.json
   • Rename credentials.enc → credentials.enc.bak
   • Print: "Migrated credentials to new format. Backup at credentials.enc.bak"
2. If migration fails (no email extractable): prompt user to re-run gws auth login
3. Remove all legacy fallback code paths from auth.rs, auth_commands.rs, and credential_store.rs

Impact

• Users on v0.5+ (post multi-account): no impact, already on new format
• Users on v0.3-0.4 (legacy): auto-migrated transparently, worst case re-login
• Codebase: removes ~50 lines of fallback logic, simplifies every auth code path

Related Issues

Fixes #179, fixes #187, unblocks PR #202

Changeset

"@googleworkspace/cli": minor

Auto-migrate legacy credentials.enc to per-account format on first run.
Remove legacy credential fallback paths.