refactor(environment): extract shared helpers for command-based providers

[dgageot]

Deduplicate command execution and binary lookup logic from pass, keychain, and credential helper providers into shared runCommand and lookupBinary helpers in a new cmd_provider.go file.

Assisted-By: cagent

[docker-agent]

Review Summary

Found 1 issue in the refactoring: The new lookupBinary helper function masks non-ErrNotFound errors, which could make debugging difficult when system issues (like permission errors) occur.

The rest of the refactoring looks solid - it successfully deduplicates command execution and binary lookup logic without changing the functional behavior of the credential providers.

[docker-agent]

Error masking bug: Non-ErrNotFound errors are logged but not returned

When exec.LookPath fails with an error other than ErrNotFound (e.g., permission denied, I/O errors), the function logs a warning at line 34 but then returns the generic notFoundErr parameter here instead of the actual error.

This means callers will receive KeychainNotAvailableError or PassNotAvailableError when the real issue might be a permission problem or system configuration issue, losing critical debugging information.

Suggested fix:

func lookupBinary(name string, notFoundErr error) error {
	path, err := exec.LookPath(name)
	if err != nil {
		if errors.Is(err, exec.ErrNotFound) {
			return notFoundErr
		}
		// Return the actual error for non-NotFound cases
		slog.Warn("failed to lookup `"+name+"` binary", "error", err)
		return fmt.Errorf("failed to lookup %s: %w", name, err)
	}
	return nil
}

Or at minimum, check the error first rather than relying on the empty path check.