fix(kura): fallback legacy project auth after inactive introspection

Fixes the Kura compatibility regression where project-scoped cache requests from older CLIs can be rejected after Kura introspection reports the token inactive.

Kura now falls back to the existing /api/cache/access authorization path for project-scoped requests when /oauth2/introspect returns active: false. This matches the legacy cache path that older CLIs already rely on, while keeping account-scoped Kura authorization tied to introspection and preserving 401s when the fallback endpoint also rejects the token.

This fixes the backward-compat acceptance failure where a CLI logs in before creating a throwaway project, receives a token whose embedded cache grants do not include that project, then gets a Kura 401 on the first artifact request.

How to test locally

• cd kura && mise exec -- cargo fmt --check
• cd kura && mise exec -- cargo test extension::tests::tuist_hook -- --nocapture

Note: mise emitted a postinstall warning about apple.swift-protobuf while resolving the repo toolchain, but the Kura test command completed successfully.

No GitHub comments yet.