Epic: OAuth Token Management (encrypted storage + refresh + revoke)

[Hozyne-OpenBak]

Part of #2

Securely store OAuth tokens at rest.

Tasks:

• AES-256-GCM encryption
• PBKDF2 key derivation
• JSON storage format (~/.infershield/tokens.json)
• Read/write/delete operations

Security:

• Master key from INFERSHIELD_MASTER_KEY env var
• Random IV per token
• Store: {iv, authTag, ciphertext}

---

Refresh / lifecycle (from #5)

• Check expiry before use
• Refresh if nearing expiry (e.g., <5m)
• Persist refreshed tokens
• Handle refresh failure (revoke + re-auth required)

(Former issue #5 merged here.)