auth: add unit and acceptance tests for secure-storage guards (#5077)

## Why

I smoke-tested the experimental secure token storage opt-in against a
live Databricks workspace (env-var and config-file paths) and noticed
three gaps in automated coverage that CI does not catch today:

1. The cmd-layer guard that keeps secure, plaintext, and unknown modes
from writing legacy host-keyed entries has no direct unit test.
2. The config-file source of the storage mode has no invalid-value
acceptance test (only the env var does).
3. Nothing asserts that \`DATABRICKS_AUTH_STORAGE\` beats
\`[__settings__] auth_storage\` in \`.databrickscfg\`.

All three are safe to automate without touching a real OS keyring.

## Changes

**Before:** \`dualWriteLegacyHostKey\` is only exercised indirectly
through login-flow tests; storage-mode acceptance coverage is limited to
\`invalid-env\` and \`legacy-env-default\`.

**Now:** three test additions, no behavior change.

- \`cmd/auth/login_test.go\`: add \`TestDualWriteLegacyHostKey\` with
five table-driven cases (legacy mirrors host key, legacy no-op on empty
cache, secure / plaintext / unknown modes all skip dual-write).
- \`acceptance/cmd/auth/storage-modes/invalid-config/\`: mirror of
\`invalid-env\` for the config-file source. Writes \`[__settings__]
auth_storage = bogus\` and asserts the error names \`auth_storage\` as
the source.
- \`acceptance/cmd/auth/storage-modes/env-overrides-config/\`: config
says \`secure\`, env says \`legacy\`; \`auth logout\` clears the
file-backed cache, proving the env override wins and the keyring is
never touched.

## Test plan

- [x] \`go test ./cmd/auth/... ./libs/auth/...\` passes
- [x] \`go test ./acceptance -run 'TestAccept/cmd/auth/'\` passes
- [x] \`make checks\` clean
- [x] \`make lint\` 0 issues
- [x] New unit test passes in isolation and with \`-race\`
- [x] Both acceptance tests pass under both \`DATABRICKS_BUNDLE_ENGINE\`
matrix variants

Safe for CI: none of the added tests touch a real OS keyring, per the
secure-storage rollout plan.

Author: simonfaltum

acceptance/cmd/auth/storage-modes/env-overrides-config/out.test.toml

@@ -0,0 +1,11 @@
+
+=== Token cache keys before logout
+[
+  "dev"
+]
+
+>>> [CLI] auth logout --profile dev --auto-approve
+Logged out of profile "dev". Use --delete to also remove it from the config file.
+
+=== Token cache keys after logout (should be empty)
+[]

acceptance/cmd/auth/storage-modes/env-overrides-config/output.txt

@@ -0,0 +1,35 @@
+export DATABRICKS_AUTH_STORAGE=legacy
+
+cat > "./home/.databrickscfg" <<ENDCFG
+[__settings__]
+auth_storage = secure
+
+[dev]
+host = https://accounts.cloud.databricks.com
+account_id = account-id
+auth_type  = databricks-cli
+ENDCFG
+
+mkdir -p "./home/.databricks"
+cat > "./home/.databricks/token-cache.json" <<ENDCACHE
+{
+  "version": 1,
+  "tokens": {
+    "dev": {
+      "access_token": "dev-cached-token",
+      "token_type": "Bearer"
+    }
+  }
+}
+ENDCACHE
+
+title "Token cache keys before logout\n"
+jq -S '.tokens | keys' "./home/.databricks/token-cache.json"
+
+# Env var = legacy must beat [__settings__] auth_storage = secure.
+# Proof: logout clears the file-backed token-cache.json. If the env override
+# were ignored, the CLI would try the keyring and leave the file cache alone.
+trace $CLI auth logout --profile dev --auto-approve
+
+title "Token cache keys after logout (should be empty)\n"
+jq -S '.tokens | keys' "./home/.databricks/token-cache.json"

acceptance/cmd/auth/storage-modes/env-overrides-config/script

@@ -0,0 +1,5 @@
+
+>>> [CLI] auth token --profile nonexistent
+Error: auth_storage: unknown storage mode "bogus" (want legacy, secure, or plaintext)
+
+Exit code: 1

acceptance/cmd/auth/storage-modes/invalid-config/out.test.toml

@@ -0,0 +1,8 @@
+cat > "./home/.databrickscfg" <<ENDCFG
+[__settings__]
+auth_storage = bogus
+ENDCFG
+
+# auth token is the smallest reproducer that resolves the storage mode
+# without performing any network I/O.
+trace $CLI auth token --profile nonexistent

acceptance/cmd/auth/storage-modes/invalid-config/output.txt

@@ -15,6 +15,7 @@ import (
 	"time"
 
 	"github.com/databricks/cli/libs/auth"
+	"github.com/databricks/cli/libs/auth/storage"
 	"github.com/databricks/cli/libs/cmdio"
 	"github.com/databricks/cli/libs/databrickscfg/profile"
 	"github.com/databricks/cli/libs/env"
@@ -1089,3 +1090,73 @@ func TestLoginRejectsPositionalArgWithProfileFlag(t *testing.T) {
 	err := cmd.Execute()
 	assert.ErrorContains(t, err, `argument "https://example.com" cannot be combined with --host or --profile`)
 }
+
+func TestDualWriteLegacyHostKey(t *testing.T) {
+	const (
+		profileName = "dual-profile"
+		host        = "https://dual-host.example.com"
+	)
+	tok := &oauth2.Token{AccessToken: "abc", RefreshToken: "r"}
+
+	cacheWithToken := func() *inMemoryTokenCache {
+		return &inMemoryTokenCache{Tokens: map[string]*oauth2.Token{profileName: tok}}
+	}
+	emptyCache := func() *inMemoryTokenCache {
+		return &inMemoryTokenCache{Tokens: map[string]*oauth2.Token{}}
+	}
+	newArg := func(t *testing.T) *u2m.BasicDiscoveryOAuthArgument {
+		arg, err := u2m.NewBasicDiscoveryOAuthArgument(profileName)
+		require.NoError(t, err)
+		arg.SetDiscoveredHost(host)
+		return arg
+	}
+
+	cases := []struct {
+		name        string
+		mode        storage.StorageMode
+		cache       func() *inMemoryTokenCache
+		wantHostKey bool
+	}{
+		{
+			name:        "legacy mirrors cached token under host key",
+			mode:        storage.StorageModeLegacy,
+			cache:       cacheWithToken,
+			wantHostKey: true,
+		},
+		{
+			name:  "legacy is a no-op when cache has no entry",
+			mode:  storage.StorageModeLegacy,
+			cache: emptyCache,
+		},
+		{
+			name:  "secure skips dual-write",
+			mode:  storage.StorageModeSecure,
+			cache: cacheWithToken,
+		},
+		{
+			name:  "plaintext skips dual-write",
+			mode:  storage.StorageModePlaintext,
+			cache: cacheWithToken,
+		},
+		{
+			name:  "unknown mode skips dual-write",
+			mode:  storage.StorageModeUnknown,
+			cache: cacheWithToken,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			c := tc.cache()
+			dualWriteLegacyHostKey(t.Context(), c, newArg(t), tc.mode)
+
+			got, err := c.Lookup(host)
+			if tc.wantHostKey {
+				require.NoError(t, err)
+				assert.Equal(t, tok, got)
+			} else {
+				assert.ErrorIs(t, err, cache.ErrNotFound)
+			}
+		})
+	}
+}