Show OAuth auth response bodies in Network tab, with sensitive-field masking + reveal toggle

[cliffhall]

Problem

auth-category Network entries show request body, headers, and status, but no response body (renders (empty) even when content-length says otherwise). This is deliberate today — buildEffectiveAuthFetch (core/mcp/inspectorClient.ts) does not wire updateResponseBody to avoid surfacing access_token/refresh_token in the body preview (screen-share leak). But it means the OAuth token-exchange response (the most useful thing to inspect when debugging auth) is never visible.

Change

Capture auth response bodies and display them, but mask sensitive OAuth fields by default behind a click-to-reveal toggle:

1. buildEffectiveAuthFetch — wire updateResponseBody so auth response bodies are captured (mirrors the transport fetcher).
2. New maskSecretsInBody util — masks access_token, refresh_token, id_token, client_secret values in JSON bodies; returns whether anything was masked.
3. NetworkEntry's BodyPreview — when a body contains masked fields, render it masked with a "Reveal"/"Hide" toggle. Copy honors the current (masked vs raw) view.

Notes

• access_token/refresh_token are in the /token response, which is post-redirect and never written to the session-restore files (OAuth pre-redirect auth HTTP activity missing from Network tab (lost across redirect) #1384); only pre-redirect bodies (discovery = public metadata, DCR /register) persist, so no bearer token hits disk.
• Stacked on fix(auth): persist OAuth pre-redirect Network log across the redirect (#1384) #1385 (OAuth pre-redirect auth HTTP activity missing from Network tab (lost across redirect) #1384).

Acceptance criteria

• A successful /token exchange shows its JSON response body in Network, with access_token/refresh_token masked until revealed.
• Non-sensitive bodies (e.g. discovery metadata) show fully with no toggle.
• No regression to transport-entry body display.