engflow_auth: Add export subcommand

[minor-fixes]

This change adds an export subcommand which prints the (*oauth2.Token).AccessToken field for the specified cluster to stdout, when:

• a token is stored for the specified cluster
• the token is not expired

This isn't any less secure than using engflow_auth get, which is another variation on the same intent; since the token storage currently used is backed by the OS keychain, only the current user should be able to fetch tokens they've stored.

Tested: unit tests added
Bug: linear/CUS-367

[jayconrod]

Nit: give the user a hint on what they should pass here.

Suggested change

	return autherr.CodedErrorf(autherr.CodeBadParams, "expected exactly 1 positional argument; got %d positional arguments", cliCtx.NArg())
	return autherr.CodedErrorf(autherr.CodeBadParams, "expected exactly 1 positional argument, a cluster host name; got %d", cliCtx.NArg())

[minor-fixes]

Done!

[jayconrod]

Not seeing the difference in this commit. Was it added?

[minor-fixes]

No, looks like I got bamboozled by VSCode - fixed

[jayconrod]

No point in allocating a new value with new then replacing with errors.As. Use nil instead.

Suggested change

	if reauthErr := new(autherr.CodedError); errors.As(err, &reauthErr) && reauthErr.Code == autherr.CodeReauthRequired {
	if reauthErr := (*autherr.CodedError)(nil); errors.As(err, &reauthErr) && reauthErr.Code == autherr.CodeReauthRequired {

[minor-fixes]

Done!

[jayconrod]

This is a serialization format, so let's think about this carefully. It's quite likely that whatever's printed here will be read and written by different version of this program. If we only print the token, there's no way to extend the format and include more information.

I'd suggest instead that we stick this in a JSON structure and comment not to make any backward-incompatible changes. That will let us add new fields later on if we need to.

An example of something that might be nice: we could include the cluster URL so there's no need to specify it in the corresponding import command.

[rogerhu]

Right - the token really has an affinity to the cluster URL as well.

Does it also include the expiry time too?

[minor-fixes]

Done; added tests to make this more clear

[jayconrod]

Not seeing the difference in this commit. Was it added?

[jayconrod]

A gentle request for easier reviews: please don't force-push after someone has reviewed. It makes it difficult to see what has changed between reviews. Normally, I can click Show changes since your last review, but after a force-push, that doesn't work because the old commits are gone.

If you need to update the branch, git merge works best, since it preserves the old commits. git rebase plus new commits requires a force-push, so it makes the review harder, but it's still possible to look at the last couple commits directly. git commit --amend makes everything harder though.

We squash and merge everything, so the end result of all these is the same. It's just a convenience for reviewers.