Remove the Entire DB credential-store integration

[Soph]

Why

git-sync carried a bespoke Entire credential path: auth.Resolve fell back to an active-user lookup in ~/.config/entire/hosts.json plus a file/keyring token store and OAuth refresh-token handling (client_id=entire-cli). Investigation of the actual consumers shows nothing produces that layout anymore:

• mirror-pipeline (the only library consumer that talks to entiredb) supplies credentials directly at the transport layer — GitHub App installation tokens for the source, and per-request entire-core repo-scoped bearers injected by its own bearerTransport for the target. It never provisions hosts.json/ENTIRE_TOKEN_STORE, so git-sync's lookup always returned empty there.
• Client-side entire:// auth is owned by the separate git-remote-entire helper, which uses the newer contexts.json + cluster-discovery model — not this token store.

So the lookup only ever read a store no current producer writes.

What

• Delete internal/auth/entiredb.go and internal/auth/tokenstore.go, and the LookupEntireDBCredential fallback. auth.Resolve now resolves explicit token/bearer credentials only and otherwise returns nil, so the git credential helper is consulted on a 401 — exactly as for any other remote. (Its error return, always-nil after the change, is dropped.)
• Remove the now-orphaned entiredb tests and the local-Entire smoke test + its dead mise tasks.
• Drop the github.com/zalando/go-keyring dependency.
• Bonus: with the file token store gone, the syscall.Flock usage that broke the Windows build disappears — the module now cross-compiles for windows cleanly.

Supersedes

• Fix entiredb token-refresh: doc, caller context, and proxy #90 (entiredb token-refresh doc/context/proxy fix) and Make the token-store file lock compile and work on Windows #92 (tokenstore Windows flock fix) were both polishing this now-deleted code. I'll close them in favor of this.

Verification

go build/vet/test ./..., gofmt -l -s ., golangci-lint run ./... (0 issues), and GOOS=windows go build ./... all pass; go mod tidy is a no-op; keyring/wincred/godbus are gone from the dependency graph.

🤖 Generated with Claude Code

---

Note

Medium Risk
Auth behavior changes for anyone relying on ENTIRE_CONFIG_DIR / token store without explicit flags—those users must pass tokens or use git credential helper. The deleted path was reportedly unused by current producers, limiting blast radius.

Overview
Removes the bespoke Entire DB auth path (hosts.json active user, file/keyring token store, OAuth refresh) and narrows auth.Resolve to explicit token/bearer only; when nothing is set it returns nil and the existing git credential helper path runs after a 401, same as any other HTTP remote. The (Method, error) return becomes Method only.

Deletes internal/auth/entiredb.go and internal/auth/tokenstore.go, drops github.com/zalando/go-keyring (and related indirect deps), and removes Entire-specific tests plus the optional local-Entire smoke test and its mise tasks. Docs/changelog note the slimmer auth model; removing the file token store’s flock usage restores clean Windows cross-compiles.

^{Reviewed by Cursor Bugbot for commit 623e9ea. Configure here.}