Summary

This PR systematically addresses the REVIEW.md findings, excluding the requested client-secret flag item.

What changed

• Hardened OneDrive local path handling with canonicalization/escape checks.
• Refactored circuit breaker flow to atomic execute/check behavior.
• Added Graph-host allow-list validation for pagination tokens.
• Enforced profile-name validation for auth cache/secret key derivation.
• Added config read/write lockfile serialization with timeout handling.
• Added OneDrive improvements: dry-run support, transfer progress, metadata-rich delete confirmation.
• Added dry-run support for mail send and calendar create/update/delete.
• Deduplicated OData page decoding in a shared graph helper.
• Added best-effort zeroing of sensitive auth byte buffers.
• Added tests for pagination hints and expanded coverage across modified areas.
• Improved user-facing error formatting consistency (profile and breaker cases).
• Added docs for exported API types and documented root exit handling behavior.
• Updated README and microsoft-port-plan docs to reflect new behavior.

Validation

• go test ./... (passing)

Notes

• Per request, the --client-secret flag finding was intentionally not implemented in this PR.