feat(ui): Figma Snapshot PAT error deep-links to token settings (#1399)

[oscharko]

Summary

A failed Figma snapshot caused by a PAT/credential problem previously rendered a plain red error with no path to fix it — the operator had to hunt through Settings to find the Figma access-token field.

The assertive error card now renders an "Open Figma access token settings" action for credential errors (FIGMA_TOKEN_MISSING/INVALID/EXPIRED/REVOKED/INSUFFICIENT_SCOPE). Clicking it opens Settings → Models → the gateway-setup dialog with the Figma access-token field focused.

Cross-window navigation uses a small gatewaySetupBus (module-level latch + CustomEvent, mirroring the existing activityBus). The Settings window is a singleton tool window and openWindow does not merge cfg into an already-open instance, so a cfg-based deep-link would be dropped. The latch covers "Settings just opened" (read on mount); the event covers "Settings already open" (live listener); exactly one path claims each request. Dialog open is deferred until config has resolved without error so it never flashes first-run wording or focuses the wrong field.

The browser tier still never holds or transmits the PAT (resolved server-side); only the error code and a content-free request signal cross the window boundary.

Refs #1399

Scope

• In scope: clickable PAT/credential error → deep-link to the Figma access-token configuration; the new bus; an additive error-action button + style; proof regeneration for the CSS change.
• Out of scope: Figma Snapshot window layout rework, new auth flows, PAT validation rule changes.

Reuse And No-Duplication

• Existing Keiko functionality was inspected before implementation.
• This PR reuses, extends, generalizes, or consolidates existing functionality where practical.
• Any new implementation is limited to a documented capability gap in the linked issue.
• This PR does not introduce a parallel workspace, graph, relationship, policy, evidence, memory, connector, workflow, or UI subsystem where an existing subsystem can be extended.
• Refactoring or consolidation was considered when existing functionality was close but not shaped for this change.

Reuse evidence: reuses the existing GatewaySetupDialog Figma section (the only place the PAT can be entered, server-side security invariant), the existing SettingsPanel setup-open path, the existing assertive error-card pattern in FigmaSnapshotWindow, and mirrors the existing activityBus cross-tree messaging pattern rather than adding a new subsystem.

Product Impact

• UI or user workflow

Verification

Required:

• Required GitHub checks pass before merge.
• Local verification commands or rationale are listed below.
• Reuse/extension/generalization evidence or gap rationale is listed below.

Local verification:

packages/keiko-ui $ npx vitest run        → 3030 passed (the only 2 "failed files" are
  pre-existing worktree env failures: autoprefixer unresolvable in layout.test.ts /
  __tests__/pwa-metadata.test.ts — fail identically without this change, green in CI)
packages/keiko-ui $ npx eslint <changed files> --max-warnings=0   → clean
packages/keiko-ui $ npx tsc --noEmit      → no new errors (only pre-existing ExportBar.tsx)
#1300 proofs regenerated (PASS, SHA pin only):
  node docs/design-system/evidence/1300/equivalence-harness.mjs   → Group R 0-diff, PASS
  node docs/design-system/evidence/1300/editor/capture.mjs         → 14/14 captures, PASS
  node docs/design-system/evidence/1300/a11y/axe-proof.mjs         → 0 serious/critical, PASS

13 new tests cover: the bus (latch one-shot + event), all five PAT codes rendering the action and invoking the callback, the missing-callback and non-PAT negative cases, both window states (latch-on-mount + live-event), the no-spurious-open case, the load-failure deferral + retry, and a jest-axe scan of the action button inside role="alert".

Reuse / gap rationale:

Gap: no in-app affordance connected the PAT error to the (server-side-only) token
configuration. Filled by reusing GatewaySetupDialog + SettingsPanel; no parallel UI added.

Select only what applies:

• UI behavior manually verified or covered by tests.
• Core logic covered by unit, integration, property, or fixture tests.
• Security-sensitive change reviewed for trust boundaries, secrets, external calls, and generated artifacts.
• Not applicable items are explained below.

Not applicable rationale:

• No CLI, packaging/release, or documentation/Markdown surface changed. The browser tier never holds the PAT; only an error code + a content-free request signal cross the window boundary.

Review And Closure

• The PR implements only the linked issue scope.
• Actionable review findings are fixed or explicitly dispositioned.
• Unresolved review threads are resolved before merge.
• Checks are repeated after the latest pushed fix.
• Issue acceptance criteria and closure evidence are updated only where evidence exists.

An adversarial multi-lens review (correctness/race, a11y, security/boundaries, tests) was run; all four real findings were fixed in this branch (latch mutual-exclusion guard, defer-on-modelError, jest-axe coverage of the PAT button, focus-rationale comment). Security and architecture-boundary lenses came back clean. Uses Refs #1399 (not Resolves) — leaving issue closure to the maintainer per the owner-review-gated workflow.

Risk Notes

• Low risk, additive UI. No migration, no schema/data change, no new external calls.
• The new bus is in-memory and content-free; no PAT or secret crosses the window boundary.
• The only cross-cutting touch is regenerated #1300 evidence proofs (SHA pin + sub-perceptual PNG deltas), matching the convention of prior globals.css commits; verdicts are unchanged (PASS).