fix(storage): distinguish keychain user cancellation, auth failure, and error status from not-found

[datlechin]

Summary

• KeychainResult and KeychainStringResult gain three new cases: .userCancelled, .authFailed, .error(OSStatus).
• KeychainHelper.read(forKey:) now maps errSecUserCanceled and errSecAuthFailed to their own cases and routes any other unknown OSStatus to .error(status) instead of pretending it was .notFound.
• readStringResult(forKey:) propagates the new cases and returns .error(errSecDecode) (not .notFound) when the bytes are not valid UTF-8.
• All four read sites (connection passwords / SSH profile secrets / AI provider keys / license key) handle every case with a distinct OSLog line and continue to return nil to the caller.

Why this matters

This is bug B4 from the full-app audit. A cancelled Touch ID prompt returns errSecUserCanceled; previously the default: arm collapsed it to .notFound, the caller treated the password as gone and re-prompted the user. The user re-types the password, the keychain ends up with two entries, or the connection gets re-saved with a blank password. The new cases let callers tell apart "I never had this saved" from "the user just cancelled" from "biometric auth failed" from "real keychain error", and the OSLog signal makes the failure mode diagnosable.

Test plan

• Cancel a Touch ID prompt, confirm log line Keychain prompt cancelled for 'com.TablePro.password.<id>' appears and the connection is not re-saved with a blank password.
• Connection / SSH profile / AI key / license-key paths each load normally when the keychain entry is present.
• swiftlint --strict clean.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.