[TW-4729] refactor(dashboard,email): reduce code duplication in auth and pagination

[qasim-nylas]

Summary

• Dashboard auth: Extract shared loadDashboardTokens() helper, fix multi-org auto-selection bug (only auto-store when exactly 1 org), surface SyncSessionOrg errors as warnings, add persistActiveOrg() and syncSessionOrgWithWarning() shared helpers for login/SSO flows
• Email pagination: Extract shared fetchMessages() with messagesClient interface, removing ~60 lines of duplicated pagination boilerplate from list.go (was repeated 3x across list table output, list structured output, and search)
• Release workflow: Add snapshot validation build before tagging on workflow_dispatch; restrict real GoReleaser release, DMG creation, and upload to tag push events only

Details

Dashboard auth improvements

Change	Why
session_store.go — new loadDashboardTokens()	Was duplicated identically in AuthService.loadTokens() and AppService.loadTokens()
storeTokens: len(orgs) > 0 → == 1	Previously auto-selected first org when user belongs to multiple — incorrect behavior
SyncSessionOrg returns errors	Was silently swallowing failures (return nil); callers now get warnings via syncSessionOrgWithWarning()
persistActiveOrg() helper	Deduplicates org selection + storage logic between login.go and sso.go
exports.go: SyncSessionOrg() returns void	Exported for setup wizard — uses syncSessionOrgWithWarning() internally for consistency

Email pagination consolidation

Before	After
3 identical ~20-line pagination blocks in list.go (×2) and search.go	Single fetchMessages() function shared by all three call sites
searchMessagesClient interface (search-only)	messagesClient interface (package-shared)
Pagination decision split across caller	fetchMessages(maxItems): <0 = single page, 0 = unlimited, >0 = capped

Release workflow hardening

• workflow_dispatch now runs a --snapshot validation build before creating the git tag
• Actual goreleaser release, DMG creation, and DMG upload restricted to github.event_name == 'push' (tag push)
• Net effect: manual dispatches validate without publishing; broken builds can't produce orphaned tags

Files changed (13)

File	Change
.github/workflows/release.yml	Reorder: validate → tag → release; restrict release steps to push
internal/app/dashboard/session_store.go	New — shared loadDashboardTokens()
internal/app/dashboard/auth_service.go	Delegate to shared helper; fix == 1 org logic; return errors from SyncSessionOrg
internal/app/dashboard/app_service.go	Delegate to shared loadDashboardTokens()
internal/app/dashboard/auth_service_test.go	Update tests for error-returning SyncSessionOrg; add failingSecretStore; add storeTokens tests
internal/cli/dashboard/helpers.go	Add persistActiveOrg(), syncSessionOrgWithWarning(); fix printAuthSuccess org logic
internal/cli/dashboard/login.go	Use shared helpers instead of inline logic
internal/cli/dashboard/sso.go	Use shared helpers instead of inline logic
internal/cli/dashboard/exports.go	SyncSessionOrg() returns void, delegates to syncSessionOrgWithWarning()
internal/cli/dashboard/dashboard_test.go	New — unit tests for CLI helpers
internal/cli/email/search.go	Rename to fetchMessages() with messagesClient interface
internal/cli/email/list.go	Replace 2 pagination blocks with fetchMessages() calls
internal/cli/email/search_test.go	New — unit tests for pagination logic

Test plan

• make ci-full passes (unit + integration + lint + vet + security + vuln)
• nylas email list --limit 5 — single-page fetch works
• nylas email list --limit 250 — pagination works (fetched 250 across multiple pages)
• nylas email search "*" --limit 3 — search works
• nylas email list --limit 5 --json — structured output works
• nylas dashboard status — dashboard auth works

JIRA: TW-4729