fix(auth): canonicalize Google Antigravity provider and enhance credential management

[lc6464]

📝 Description

This PR fixes the Google Antigravity credential expiry inconsistency reported in #2550.

The root cause was in the auth store layer rather than in the OAuth refresh flow itself. Historical auth.json files could contain both the legacy antigravity key and the canonical google-antigravity key at the same time. In that state, Web UI code reading the canonical provider and CLI auth status iterating the raw credential map could observe different expiry timestamps, making it look like picoclaw auth login --provider google-antigravity did not update expires_at.

To fix this, the auth store now canonicalizes antigravity to google-antigravity on read/write, merges legacy and canonical entries into a single credential view, prefers the newer expiry when both exist, and preserves other fields such as refresh token, email, project ID, and account ID. The PR also adds regression coverage for the legacy alias merge path, alias deletion, provider normalization, and the CLI auth status output path that matches the issue reproduction more closely.

🗣️ Type of Change

• 🐞 Bug fix (non-breaking change which fixes an issue)
• ✨ New feature (non-breaking change which adds functionality)
• 📖 Documentation update
• ⚡ Code refactoring (no functional changes, no api changes)

🤖 AI Code Generation

• 🤖 Fully AI-generated (100% AI, 0% Human)
• 🛠️ Mostly AI-generated (AI draft, Human verified/modified)
• 👨‍💻 Mostly Human-written (Human lead, AI assisted or none)

🔗 Related Issue

Fixes #2550

📚 Technical Context

• Reference URL: [BUG] Shouldnt picoclaw auth login --provider google-antigravity updates the token expiration unless it is via browser-oauth ? #2550
• Reasoning: The reported symptom was caused by inconsistent handling of legacy provider aliases in auth.json, not by a missing token refresh from the provider. Normalizing provider keys and merging legacy/canonical entries in the auth store ensures that CLI and Web UI read the same credential state and the refreshed expiry time is visible consistently after login.

🧪 Test Environment

• Hardware: Local x64 Server
• OS: Ubuntu Server 24
• Model/Provider: -
• Channels: -

☑️ Checklist

• My code/docs follow the style of this project.
• I have performed a self-review of my own changes.
• I have updated the documentation accordingly.

[Copilot]

Pull request overview

This PR addresses inconsistent Google Antigravity credential expiry reporting by canonicalizing the legacy antigravity provider key to google-antigravity inside the auth store layer, ensuring CLI/Web UI read the same merged credential state.

Changes:

• Add provider key canonicalization + legacy/canonical merge logic in the auth store (preferring newer expiry and preserving non-empty fields).
• Update auth store tests to use a shared home override helper and add regression tests for alias merge/delete/normalization behavior.
• Add CLI auth status regression test to ensure only the canonical provider is displayed after refreshing credentials.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
pkg/auth/store.go	Canonicalizes provider names and merges legacy/canonical credentials during Load/Get/Set/Delete.
pkg/auth/store_test.go	Adds helpers and regression tests for alias merging, canonicalization, and deletion behavior.
cmd/picoclaw/internal/auth/status_test.go	Adds CLI output regression test covering the reported inconsistent expiry scenario.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.