refactor: dedupe auth profile store normalization

src/agents/auth-profiles/store.ts

@@ -126,6 +126,22 @@ function writeCachedAuthProfileStore(
   });
 }
 
+function normalizeSecretBackedField(params: {
+  entry: Record<string, unknown>;
+  valueField: "key" | "token";
+  refField: "keyRef" | "tokenRef";
+}): void {
+  const value = params.entry[params.valueField];
+  if (value == null || typeof value === "string") {
+    return;
+  }
+  const ref = coerceSecretRef(value);
+  if (ref && !coerceSecretRef(params.entry[params.refField])) {
+    params.entry[params.refField] = ref;
+  }
+  delete params.entry[params.valueField];
+}
+
 export async function updateAuthProfileStoreWithLock(params: {
   agentDir?: string;
   updater: (store: AuthProfileStore) => boolean;
@@ -175,21 +191,9 @@ function normalizeRawCredentialEntry(raw: Record<string, unknown>): Partial<Auth
   // value is truthy (an object) but has no `.trim()` method.  Migrate the
   // misplaced ref to `keyRef` so the secret-resolution pipeline can pick it
   // up, and clear the invalid `key` so callers never see a non-string value.
-  if ("key" in entry && entry["key"] != null && typeof entry["key"] !== "string") {
-    const ref = coerceSecretRef(entry["key"]);
-    if (ref && !coerceSecretRef(entry["keyRef"])) {
-      entry["keyRef"] = ref;
-    }
-    delete entry["key"];
-  }
+  normalizeSecretBackedField({ entry, valueField: "key", refField: "keyRef" });
   // Same treatment for `token` on TokenCredential entries.
-  if ("token" in entry && entry["token"] != null && typeof entry["token"] !== "string") {
-    const ref = coerceSecretRef(entry["token"]);
-    if (ref && !coerceSecretRef(entry["tokenRef"])) {
-      entry["tokenRef"] = ref;
-    }
-    delete entry["token"];
-  }
+  normalizeSecretBackedField({ entry, valueField: "token", refField: "tokenRef" });
   return entry as Partial<AuthProfileCredential>;
 }