chore(security): redact sensitive auth logs and tighten credential file permissions

[danielecirio]

Motivation

• Reduce the risk of accidental secrets leakage from authentication logs by avoiding printing sensitive values such as PKCE verifiers, SIDs payloads and client tokens.
• Limit filesystem exposure of stored credentials by ensuring temporary credential files are written with restrictive permissions.

Description

• Replace verbose PKCE/SID payload logging in savePkce and saveSid with logs that only include non-sensitive metadata (organizationDomain) in sdk/src/utils/lruCache.ts.
• Remove raw codeVerifier and token values from the OAuth callback error log and report presence using booleans (hasRefreshToken, hasAccessToken, hasCodeVerifier) in sdk/src/auth/callbackHandler.ts.
• Stop logging full token records during SID exchange and avoid printing the client token in sdk/src/auth/sidExchange.ts and make the auth middleware message neutral in sdk/src/auth/authMiddleware.ts.
• Harden file-based credential storage by writing the temporary credentials file with restrictive mode 0600 via fs.writeFile(..., { encoding: 'utf-8', mode: 0o600 }) in sdk/src/storage/file.ts.

Testing

• Ran npm run lint --workspace sdk, which failed because the environment is missing the @typescript-eslint/eslint-plugin dependency (external to these changes).
• Ran npm run tsc --workspace sdk, which failed due to a pre-existing TypeScript error in sdk/src/startRiseactApp.ts unrelated to the security edits in this PR.

---

Codex Task