perf(cli): `auth status` does two `load_session` round-trips on the stored-session path

[gbrlcustodio]

Motivation

pipefy auth status on the stored-session path invokes ensure_fresh_session twice per run:

1. _populate_stored_session (commands/auth.py:324) — does the actual refresh when the token is near expiry.
2. _fetch_identity → get_authenticated_client (auth.py:203) — re-enters ensure_fresh_session to obtain a bearer for the get_me call.

Tracing call #2 against the freshly-stored session:

• load_session(...) reads the keychain again (~10 ms on macOS, more on Linux/Secret Service).
• The freshness check (time.time() < session.obtained_at + expires_in - leeway_s) passes because we just stored a brand-new obtained_at.
• Returns without touching the token endpoint.

So the actual cost is one extra keychain read plus one extra load_session deserialization per auth status, not two network refreshes. The PR review framed this as "extra token-endpoint load," which is true only on the first call; call #2 short-circuits on freshness.

Raised by adriannoes on PR #142 (#142) as an explicit "Optional follow-up."

Approach

Two equally viable shapes:

1. Thread the refreshed StoredSession down: _populate_stored_session returns the (possibly rotated) session; _fetch_identity accepts it and passes the bearer directly into the GraphQL client, skipping get_authenticated_client's stored-session branch entirely.
2. get_authenticated_client accepts an optional pre-fetched session: same effect, opt-in at the call site, no changes to non-auth status callers.

Option 2 is less invasive (one new kwarg, default None) and keeps the get_authenticated_client API as the single entry point.

Change

1. Add prefetched_session: StoredSession | None = None kwarg to get_authenticated_client.
2. When supplied, bypass the load_session + ensure_fresh_session round-trip for the stored-session branch; use its access_token as the bearer.
3. In auth_status, capture the refreshed session from _populate_stored_session and pass it into the _fetch_identity → get_authenticated_client call chain.

Acceptance criteria

• auth status on the stored-session path calls load_session exactly once per invocation (observable via mock call counts in a new test).
• No behavior change on other auth paths (flag-token, env-token, service-account).
• No behavior change for other CLI commands consuming get_authenticated_client.

Scope

• 1 source file (packages/cli/src/pipefy_cli/auth.py) — add kwarg, conditional branch.
• 1 source file (packages/cli/src/pipefy_cli/commands/auth.py) — capture + thread session.
• 1 test file (packages/cli/tests/test_auth_status.py) — call-count assertion.

References

• PR feat(cli): pipefy auth status (#135) #142 review thread: feat(cli): pipefy auth status (#135) #142 (comment)
• adriannoes labeled this "Optional follow-up" in the review.