feat(auth): add support for persisting disabled flag in token storage

- Updated `FileTokenStore` and related stores (`objectstore`, `gitstore`, `postgresstore`) to include the `disabled` flag in metadata for token storage.
- Adjusted `Auth` metadata handling to initialize empty maps when absent.
- Refined logic in `auto_refresh_loop` and `conductor` to exclude `disabled` tokens from refresh checks.
- Added comprehensive unit tests to verify proper handling of the `disabled` flag in storage and retrieval operations.

sdk/cliproxy/auth/auto_refresh_loop_test.go

@@ -34,9 +34,31 @@ func setRefreshLeadFactory(t *testing.T, provider string, factory func() *time.D
 
 func TestNextRefreshCheckAt_DisabledUnschedule(t *testing.T) {
 	now := time.Date(2026, 4, 12, 0, 0, 0, 0, time.UTC)
-	auth := &Auth{ID: "a1", Provider: "test", Disabled: true}
-	if _, ok := nextRefreshCheckAt(now, auth, 15*time.Minute); ok {
-		t.Fatalf("nextRefreshCheckAt() ok = true, want false")
+	expiry := now.Add(time.Hour)
+	lead := 10 * time.Minute
+	setRefreshLeadFactory(t, "disabled-schedule", func() *time.Duration {
+		d := lead
+		return &d
+	})
+
+	auth := &Auth{
+		ID:       "a1",
+		Provider: "disabled-schedule",
+		Disabled: true,
+		Status:   StatusDisabled,
+		Metadata: map[string]any{
+			"email":      "x@example.com",
+			"expires_at": expiry.Format(time.RFC3339),
+		},
+	}
+
+	got, ok := nextRefreshCheckAt(now, auth, 15*time.Minute)
+	if !ok {
+		t.Fatalf("nextRefreshCheckAt() ok = false, want true")
+	}
+	want := expiry.Add(-lead)
+	if !got.Equal(want) {
+		t.Fatalf("nextRefreshCheckAt() = %s, want %s", got, want)
 	}
 }