Fix Sub2API account sync with redacted credentials

[JokerIvanZK]

Summary

• support Sub2API v0.1.129 redacted account list responses by honoring credentials_status.has_access_token
• import OpenAI OAuth accounts through the admin data export endpoint before falling back to the legacy detail endpoint
• keep local account import access-token-only and discard refresh/id tokens from remote responses

Root cause

Sub2API v0.1.129 redacts sensitive credentials in the normal admin account list/detail payloads. The existing Go importer only kept accounts that exposed raw credentials.access_token, so OpenAI OAuth accounts with credentials_status.has_access_token=true were filtered out and sync showed 0 accounts.

Verification

• gofmt -w internal/service/sub2api.go internal/service/sub2api_test.go
• GOPROXY=https://goproxy.cn,direct go test ./internal/service -run 'TestSub2API'
• local runtime self-test with a mock Sub2API v0.1.129 response: groups loaded, redacted accounts listed, import called /api/v1/admin/accounts/data?ids=...&include_proxies=false, and SQLite account storage contained only the access token
• user verified the fix against a real Sub2API v0.1.129 server through the local runtime
• GOPROXY=https://goproxy.cn,direct go test ./... was attempted after building frontend assets; all affected packages passed, but an existing internal/config test fails on macOS because t.TempDir() resolves as /var/... while os.Getwd() returns /private/var/...

Fixes basketikun#187
Fixes basketikun#189