fix(oauth): surface unreadable-token state + log decryption failures

Two diagnostic fixes for the recurring "calendar shows disconnected
even though I just reconnected" loop:

- load_oauth_json_exact silently swallowed SecretStore decryption
  errors. The most common cause is a keychain ACL mismatch (dev↔prod
  bundle id, recent encryption toggle, or revoked keychain item) which
  makes every encrypted token unreadable — but the caller saw None,
  indistinguishable from "no token stored", and pushed the user toward
  a reconnect that just re-encrypts under the active bundle's key and
  breaks the same way next time. Now logs a WARN with the underlying
  cause so next failure is diagnosable from logs alone.
- OAuthStatus gains a needs_attention field, set by oauth_status when a
  token row exists in the store but is_oauth_instance_connected returns
  false. Calendar UI uses it to flip the google provider into "ok=false,
  connected=true" so the meeting-notes empty state shows "calendar needs
  attention" instead of pushing the user to a reconnect that won't help.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>