fix: concurrency-safe relogin, private supervisor state, PHI-trim + RC polish

curogram-auth:
- dedup concurrent 401 relogins into a single cycle via reloginInFlight, so
  N parallel 401s no longer each burn a relogin attempt (counter now tracks
  relogin cycles, not callers). Skip re-relogin if another caller already
  swapped in a fresher session.
- tighten the MFA check to Array.isArray(login.mfa) && length > 0 so a
  success payload carrying mfa:null can't false-positive.

curogram server:
- send success no longer echoes the full API object (potential PHI). Return
  only message_id / status / created_at confirmation fields.
- clearer fail-closed linkage message (distinguishes shape drift from a
  genuine patient/conversation mismatch).

supervisor:
- move lock/log/health out of world-writable /tmp into a private 0700
  state dir ($XDG_STATE_HOME/curogram-mcp) to avoid symlink clobber.
- rename restarts_today -> total_restarts (it's since-start, not daily).

ringcentral-admin:
- paginate _find_ai_extension so >250 extensions can't hide an existing AI
  extension and cause a duplicate-create.
- hoist _TOKEN_CACHE_KEYS to module scope.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>