auth describe: show U2M token storage location and source (#5211)

## Why

Users have no way to tell where the CLI is storing their U2M
(`databricks-cli`) token. As we move toward making secure storage the
default at GA, users need to confirm whether their tokens live in the OS
keyring or in `~/.databricks/token-cache.json`, and which precedence
level produced that choice. `gh auth status` does this with a
`(keyring)` or `(/path/to/hosts.yml)` suffix; we want the same.

## Changes

Before: `databricks auth describe` showed host, user, auth type, and a
"Current configuration" block, with no information about U2M token
storage.

Now: For profiles using `auth_type = databricks-cli`, output adds:

```
Token storage: plaintext, ~/.databricks/token-cache.json (from default)
```

or

```
Token storage: secure, OS keyring (service: databricks-cli) (from DATABRICKS_AUTH_STORAGE environment variable)
```

The `(from ...)` clause matches the existing config-attribute annotation
style. Other auth types (PAT, M2M, OIDC, Azure, etc.) do not use the U2M
cache and the line is omitted entirely (no field in JSON either).

JSON output adds a `token_storage: { mode, location, source }` object
alongside `details`.

Implementation:

- `libs/auth/storage/mode.go`: `ResolveStorageModeWithSource` now
returns a typed `StorageSource` (`Default | Override | EnvVar | Config`)
instead of an opaque bool. `StorageSource.String()` produces user-facing
labels matching `config.Source.String()` style.
- `libs/auth/storage/cache.go`: only existing in-repo caller updated to
use `source.Explicit()`.
- `cmd/auth/describe.go`: new `tokenStorageInfo` struct +
`resolveTokenStorageInfo` helper. Templates conditionally render the new
line. Only resolves when `auth_type == "databricks-cli"`; resolver
errors are debug-logged and treated as "no info available" rather than
failing describe.

No probing of either backend at describe time. The describe command
already makes a live API call that validates the token works;
double-probing would add a 3-second hang on Linux without Secret Service
for no extra signal. Following up with a `--check-token` flag is a
separate change if there's appetite for it.

## Test plan

- [x] Unit tests for `StorageSource.String()` and `.Explicit()`
- [x] Updated `TestResolveStorageModeWithSource` for the new return type
- [x] New `TestResolveTokenStorageInfo` table test covering U2M+default,
U2M+env, and non-U2M
- [x] New `TestGetWorkspaceAuthStatus_U2M_PopulatesTokenStorage` and
`TestGetWorkspaceAuthStatus_NonU2M_OmitsTokenStorage`
- [x] New acceptance tests at
`acceptance/cmd/auth/describe/u2m-plaintext-default/` and
`u2m-plaintext-env/`
- [x] Existing PAT acceptance test (`default-profile/`) still passes
unchanged
- [x] Manual smoke: built CLI, ran describe with U2M+default,
U2M+secure-env, and PAT profiles. Output is correct in both text and
JSON.
- [x] `./task checks` and `./task lint-q` clean

Secure-storage acceptance tests are intentionally omitted: they would
actually query the OS keyring on macOS (potential prompt) or hit the 3s
timeout on Linux CI without Secret Service. Unit tests cover the secure
path on any platform.

Author: simonfaltum

NEXT_CHANGELOG.md

@@ -4,6 +4,8 @@
 
 ### CLI
 
+* `databricks auth describe` now reports where U2M (`databricks-cli`) tokens are stored: `plaintext` (`~/.databricks/token-cache.json`) or `secure` (OS keyring), and the source of the choice (env var, config setting, or default).
+
 ### Bundles
 
 * Fixed `--force-pull` on `bundle summary` and `bundle open` so the flag bypasses the local state cache and reads state from the workspace.

acceptance/cmd/auth/describe/u2m-json-output/out.test.toml

@@ -0,0 +1,8 @@
+
+>>> [CLI] auth describe --profile u2m-profile --output json
+Warn: [hostmetadata] failed to fetch host metadata for https://u2m-profile.databricks.test, will skip for 1m0s
+{
+  "mode": "plaintext",
+  "location": "~/.databricks/token-cache.json",
+  "source": "default"
+}

acceptance/cmd/auth/describe/u2m-json-output/output.txt

@@ -0,0 +1,16 @@
+sethome "./home"
+
+unset DATABRICKS_HOST
+unset DATABRICKS_TOKEN
+unset DATABRICKS_CONFIG_PROFILE
+unset DATABRICKS_AUTH_STORAGE
+
+cat > "./home/.databrickscfg" <<ENDCFG
+[u2m-profile]
+host       = https://u2m-profile.databricks.test
+auth_type  = databricks-cli
+ENDCFG
+
+# Filter to just the new token_storage object so the assertion is focused
+# and doesn't churn when other fields evolve.
+trace $CLI auth describe --profile u2m-profile --output json | jq '.token_storage'

acceptance/cmd/auth/describe/u2m-json-output/script

@@ -0,0 +1,3 @@
+Ignore = [
+    "home"
+]

acceptance/cmd/auth/describe/u2m-json-output/test.toml

@@ -0,0 +1,12 @@
+
+>>> [CLI] auth describe --profile u2m-profile
+Warn: [hostmetadata] failed to fetch host metadata for https://u2m-profile.databricks.test, will skip for 1m0s
+Unable to authenticate: error getting token: cache: token not found
+Token storage: plaintext, ~/.databricks/token-cache.json (from auth_storage in [__settings__] section of home/.databrickscfg)
+-----
+Current configuration:
+  ✓ host: https://u2m-profile.databricks.test (from ./home/.databrickscfg config file)
+  ✓ profile: u2m-profile (from --profile flag)
+  ✓ databricks_cli_path: [CLI]
+  ✓ auth_type: databricks-cli (from ./home/.databrickscfg config file)
+  ✓ rate_limit: [NUMID] (from DATABRICKS_RATE_LIMIT environment variable)

acceptance/cmd/auth/describe/u2m-plaintext-config/out.test.toml

@@ -0,0 +1,17 @@
+sethome "./home"
+
+unset DATABRICKS_HOST
+unset DATABRICKS_TOKEN
+unset DATABRICKS_CONFIG_PROFILE
+unset DATABRICKS_AUTH_STORAGE
+
+cat > "./home/.databrickscfg" <<ENDCFG
+[__settings__]
+auth_storage = plaintext
+
+[u2m-profile]
+host       = https://u2m-profile.databricks.test
+auth_type  = databricks-cli
+ENDCFG
+
+trace $CLI auth describe --profile u2m-profile

acceptance/cmd/auth/describe/u2m-plaintext-config/output.txt

@@ -0,0 +1,3 @@
+Ignore = [
+    "home"
+]