fix(plugins): prevent untrusted workspace plugins from hijacking bundled provider auth choices [AI] (#62368)

* fix: address issue

* fix: address review feedback

* docs(changelog): add onboarding auth-choice guard entry

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

* fix: address PR review feedback

---------

Co-authored-by: Devin Robison <drobison@nvidia.com>

src/plugins/providers.runtime.ts

@@ -89,6 +89,7 @@ function resolveSetupProviderPluginLoadState(
     workspaceDir: base.workspaceDir,
     env: base.env,
     onlyPluginIds: base.requestedPluginIds,
+    includeUntrustedWorkspacePlugins: params.includeUntrustedWorkspacePlugins,
   });
   if (providerPluginIds.length === 0) {
     return undefined;
@@ -192,6 +193,7 @@ export function resolvePluginProviders(params: {
   cache?: boolean;
   pluginSdkResolution?: PluginLoadOptions["pluginSdkResolution"];
   mode?: "runtime" | "setup";
+  includeUntrustedWorkspacePlugins?: boolean;
 }): ProviderPlugin[] {
   const base = resolvePluginProviderLoadBase(params);
   if (params.mode === "setup") {