Summary

Extend sf-bridge (under the busbar feature) to resolve Salesforce credentials from Busbar's credential sources rather than requiring a pre-authenticated SalesforceRestClient.

Context

Currently sf-bridge expects the caller to provide an already-authenticated SalesforceRestClient. For Busbar integration, the host must resolve credentials transparently:

• Local development: OS keychain via busbar-keychain (existing)
• CI/CD: GitHub Environment secrets (set by the Agency's ephemeral session)
• The WASM guest never sees tokens — credential resolution happens entirely on the host side

Implementation

Credential Resolution Chain

1. Check environment variables (SF_ACCESS_TOKEN, SF_INSTANCE_URL) — set by ephemeral session
2. Fall back to Busbar keychain (busbar-keychain::SecretStore)
3. If JWT credentials available, perform JWT bearer auth to get access token
4. Cache access token with TTL, auto-refresh on expiry

Integration Points

• SfBridge::new_with_busbar_auth(config: BusbarAuthConfig) constructor
• BusbarAuthConfig holds: keychain path, env var prefix, JWT bearer params
• Token refresh handled transparently — guest never aware of auth mechanics

Acceptance Criteria

• SfBridge can be constructed with BusbarAuthConfig (no pre-authenticated client needed)
• Resolves credentials from env vars when present (CI/CD path)
• Falls back to OS keychain when env vars absent (local path)
• Supports JWT bearer auth flow with auto-refresh
• Access token cached with TTL, transparent refresh
• All existing tests continue to pass
• WASM guest has zero visibility into credential resolution

Dependencies

• Issue 1.2 (busbar feature exists)

Part of

Epic 1: busbar-sf-api WASM Bridge Integration