Extract IsSPOG and ResolveConfigType into libs/auth

[mihaimitrea-db]

Summary

• Extract the SPOG detection heuristic into a shared IsSPOG(cfg, accountID) predicate in libs/auth/config_type.go, replacing inline checks in both profiles.go and ToOAuthArgument.
• Extract ResolveConfigType(cfg) that wraps ConfigType() with SPOG-aware overrides, used by profiles.go.
• ToOAuthArgument now calls IsSPOG instead of duplicating the DiscoveryURL + IsUnifiedHost checks inline.

Follow-up to #4929 as suggested in review comment #2 (logic duplication).

Note on IsUnifiedHost fallback scope

The IsSPOG predicate checks Experimental_IsUnifiedHost unconditionally (not gated on configType == InvalidConfig). This is broader than the previous inline check in profiles.go, which only fired for InvalidConfig. This is safe because the SDK currently returns InvalidConfig for all unified hosts (the UnifiedHost case was removed from ConfigType() in v0.126.0). It is also more robust against future SDK changes that might reclassify unified hosts differently.

Test plan

• TestResolveConfigType — 9-case table-driven unit test in libs/auth/config_type_test.go.
• All existing TestProfileLoad* and TestToOAuthArgument* tests pass.
• go test ./libs/auth/ ./cmd/auth/ passes.

[simonfaltum]

Looks good, clean extraction. Two small suggestions:

1. The IsUnifiedHost fallback in ResolveConfigType is now broader than before (applies to any non-AccountConfig, not just InvalidConfig). Verified it's safe today since the SDK still returns InvalidConfig for unified hosts, and it's actually more robust against future SDK changes. Worth a quick note in the PR description so other reviewers don't have to trace through HostType() to verify.

2. The else if err := cfg.EnsureResolved(); err == nil { // comment } pattern in arguments.go reads a bit odd since the body is empty and the error check doesn't gate anything. Something like } else { _ = cfg.EnsureResolved() } would make the side-effect intent clearer. Not a big deal though.