feat(configure): plugin OAuth account picker, multi-account hide, configured status (#336, #337, #338)

[hyoshi]

Summary

Three configure-UI refinements for broker-OAuth plugin providers (design B — e.g. the Logly-managed Meta provider meta_ads_logly). The OSS layer carries the mechanism; the plugin supplies the values/behaviour, so mureo-pro needs no change.

#336 — post-auth account picker

• New declarative AccountOAuthConfig.accounts_field (the field the picker fills) + optional provider hook list_oauth_accounts(credentials) -> Sequence[Mapping], discovered defensively via get_oauth_account_lister.
• New backend plugin_credentials.list_oauth_accounts(): loads the stored credentials section, invokes the hook (sync or async, bridged off the request thread), normalises to [{"id","name"}]. The token never reaches logs; any hook failure — including a non-iterable return — collapses to a clean 502, never a raw 500.
• New GET /api/credentials/plugins/<provider>/accounts maps typed errors to 404 / 409 / 502.
• Dashboard renders that field as a picker (Load → radios → dedicated Save) instead of free-text. Picker radios are type="button"-safe and excluded from the OAuth Authenticate-is-save payload.

#337 — hide account_id when multi-account (agency) is active

• multi_account_picker_scope() returns a per-provider allow-list excluding accounts_field; _resolve_field_scope merges it when a multi-account backend is active (an explicit backend scope wins).
• The per-account id is chosen per-client at runtime, so pinning one at configure time is meaningless — this hides the input and exempts it from required-validation, with no declaration needed from the agency backend.

#338 — "Configured ✓" status

• The OAuth target-field status row shows "Configured ✓" when the token is stored (keyed off the injected field.configured), instead of always prompting to Authenticate. (Input suppression for the target field already shipped in Plugin OAuth providers: replace Save with a single Authenticate-and-persist action — required target_field deadlocks first-time setup #217.)

A typo'd accounts_field is rejected at the registry boundary (loud ValueError) so a wiring mistake can't silently disable the picker or the multi-account hide.

Test plan

• mureo.web.plugin_credentials — list_oauth_accounts (normalisation, async hook, async-from-running-loop, unknown provider, not-supported, not-authenticated, hook-failure-wrapped, non-iterable-return → 502, token-never-logged), multi_account_picker_scope, oauth-block surfacing.
• Registry — accounts_field validation (valid / typo→ValueError), get_oauth_account_lister (callable / absent / non-callable).
• Handlers — accounts endpoint envelopes (200/409/404/404/502), _resolve_field_scope multi-account fold-in (auto-hide, backend-override, single-account no-op).
• Frontend asset guards — configured status, picker functions, radio-exclusion, success re-render; i18n en/ja parity + key-coverage.
• ruff + black clean on mureo/; mypy --strict clean on changed files; node --check on dashboard.js.
• Reviewed by python-reviewer + typescript-reviewer; all findings (Python HIGH ×1, JS HIGH ×2 + LOW ×1) fixed with regression tests.

Closes #336, #337, #338

https://claude.ai/code/session_011rAu94b1o1xWYZhARk1VmL