[NOTABLE] Shared singleton InMemoryTokenStore may leak token state between tests

The sync.OnceValue factory runs exactly once per process lifetime. Under go test, all tests in the package share the same InMemoryTokenStore instance returned by defaultStore(). Any test that stores a token via NewKeyringTokenStore() (which delegates to defaultStore()) will leave that token visible to all subsequent tests in the same binary run.

This is an accepted trade-off for the production singleton design (multiple toolsets sharing one store), and most existing tests already use NewInMemoryTokenStore() directly for isolation. However, integration tests or future tests that call NewKeyringTokenStore() and expect an empty store at start-up will see stale tokens from earlier tests — a subtle source of test flakiness.

Consider documenting this shared-state behaviour at the defaultStore declaration, or providing a test-helper that resets the singleton between tests (e.g., via t.Cleanup and a package-internal reset function).