feat(credentials): Add configurable refresh_buffer_seconds to CredentialProvider

[namo507]

Summary

Makes the credential refresh buffer configurable instead of hardcoded at 5 minutes. Addresses #5945.

Changes

• Updated should_refresh() in CredentialProvider to use getattr(self, "refresh_buffer_seconds", 300) instead of a hardcoded timedelta(minutes=5)
• Backward compatible — defaults to 300 seconds (5 min) if refresh_buffer_seconds isn't set on the provider instance
• Providers can now set self.refresh_buffer_seconds = <int> in their __init__ to customize

Related issue: Closes #5945

Test plan

• Default provider uses 300s buffer (verify timedelta(seconds=300) behavior)
• Custom provider with refresh_buffer_seconds=600 triggers refresh earlier
• Provider with refresh_buffer_seconds=60 for short-lived SSO tokens
• No regression on existing OAuth2 refresh flows

Notes

This unblocks teams using enterprise SSO tokens (15-30 min expiry) and long-lived API keys (24h+) that need different buffer tuning per provider.

[github-actions]

PR Closed - Requirements Not Met

This PR has been automatically closed because it doesn't meet the requirements.

PR Author: @namo507
Found issues: #5945 (assignees: none)
Problem: The PR author must be assigned to the linked issue.

To fix:

1. Assign yourself (@namo507) to one of the linked issues
2. Re-open this PR

Exception: To bypass this requirement, you can:

• Add the micro-fix label or include micro-fix in your PR title for trivial fixes
• Add the documentation label or include doc/docs in your PR title for documentation changes

Micro-fix requirements (must meet ALL):

Qualifies	Disqualifies
< 20 lines changed	Any functional bug fix
Typos & Documentation & Linting	Refactoring for "clean code"
No logic/API/DB changes	New features (even tiny ones)

Why is this required? See #472 for details.