feat: store credential expiration epoch in secret for proactive refresh

[HaoXuAI]

Problem

When the credential_chain provider creates a secret with web_identity or sts chains, the STS response includes an Expiration timestamp — but the extension only stores key_id, secret, and session_token. The expiration is discarded.

Consumers (e.g., duckdb-iceberg) that need to refresh credentials have no way to know when they expire, and must resort to fixed-interval timers (e.g., refresh every 300s regardless of actual TTL).

Fix

Store credentials.GetExpiration() as expiration_epoch (epoch seconds as BIGINT) in the secret_map when the expiration is non-empty. This is backwards-compatible — existing consumers that don't read it are unaffected.

Usage by consumers

Value expiry_val;
if (kv_secret.TryGetValue("expiration_epoch", expiry_val)) {
    int64_t expires_at = expiry_val.GetValue<int64_t>();
    int64_t now = std::chrono::duration_cast<std::chrono::seconds>(
        std::chrono::system_clock::now().time_since_epoch()).count();
    int64_t ttl = expires_at - created_at;
    if ((expires_at - now) < ttl * 0.2) {
        // Refresh — less than 20% TTL remaining
    }
}

Related

• duckdb/duckdb-iceberg#1051 — credential auto-refresh for Iceberg SIGV4 (will consume this field)