feat(auth): add datastore and connection OAuth scopes

[otorrillas]

Summary

Add OAuth scope registration in pup for Actions Datastore and Action Connections so explicit login scopes and default login scopes can request them.

Changes

• Add apps_datastore_read, apps_datastore_write, and apps_datastore_manage to the default/known OAuth scope list.
• Add connections_write to the default/known OAuth scope list; keep connections_read available for read-only login.
• Allow workflow action connection commands to send OAuth bearer tokens instead of forcing API-key auth.
• Update workflow auth help text for action connections.

Notes

This is the narrow/naive scope-list update. A broader change to how pup handles its growing default OAuth scope set, including potentially omitting scope= for issuer defaults, should be discussed separately.

Testing

• git diff --check
• Not run: cargo fmt/test unavailable in this local shell because cargo/rustc/rustup are not installed.

[srosenthal-dd]

Hey, thanks for this! Getting wider support for newer auth methods (including OAuth) is my main focus, so I'd like to help get this shipped.

My comments:

1. It doesn't look like the server-side APIs are currently configured to support OAuth. It's pretty easy to add with a change like https://github.com/DataDog/dd-source/pull/426542 (was valid, only closed due to staleness -- I've mainly prioritized OAuth support as requested). Are you working on that? I'd be happy to help, including reopening that PR if appropriate.
2. I don't see any pup commands that actually use the apps_datastore_* scopes. Am I missing them? Are they planned for addition in the future?