fix: persist refreshable OAuth sessions

[lox]

Summary

This updates the CLI to store full OAuth sessions in the system keychain instead of only storing the access token, and to refresh access tokens automatically when a stored session is near expiry.

It also fixes custom REST endpoint handling during bk auth login. go-buildkite expects the API base URL and appends v2/... itself, so endpoints set to something like http://api.buildkite.localhost/v2 were ending up as /v2/v2/....

Changes

• add an oauth.Session model and refresh token grant support
• store OAuth sessions in the keychain as JSON, while still reading legacy plaintext tokens
• refresh stored OAuth sessions transparently from the config layer before returning an API token
• update bk auth login to persist the full session after the code exchange
• respect BUILDKITE_REST_API_ENDPOINT when resolving the authorised organisation after login
• normalise BUILDKITE_REST_API_ENDPOINT values ending in /v2 so they work correctly with go-buildkite
• add regression tests for refresh grants, config-driven refresh, login endpoint resolution, and /v2 endpoint normalisation

Verification

• go test ./internal/config ./cmd/auth ./pkg/oauth
• mise run lint
• local end-to-end verification against buildkite.localhost
• completed a real browser login for org test
• confirmed the session was stored with refresh_token and expires_at
• forced the stored session to expire and verified automatic refresh
• confirmed both the access token and refresh token were rotated and persisted