refactor(core): lift Settings, TokenManager, and tool-credentials into crewai-core

- New crewai_core.{settings,token_manager,tool_credentials} absorb the previously
  duplicated Settings class (~200 LOC), TokenManager (~185 LOC), and
  build_env_with_*_credentials helpers from both crewai and crewai-cli.
- crewai_core.constants gains the OAuth2/enterprise URL constants.
- crewai.settings, crewai.auth.token_manager, crewai_cli.config, and
  crewai_cli.shared.token_manager are now thin re-export shims (deprecation
  warnings on the crewai.* paths; crewai_cli.* paths kept silent re-exports).
- Internal callers (plus_api, auth.token, auth.oauth2, agent_utils,
  trace_batch_manager) migrated to crewai_core.* imports.
- Tests updated to patch crewai_core.{settings,token_manager}.* paths.
- crewai-core gains pydantic, cryptography, tomli deps; crewai-cli's redundant
  cryptography dep can stay (still imported by crewai_cli.shared.token_manager
  shim users) — no behavior change.
- Standalone CLI smoke still passes; crewai's full mypy (471 files) clean.

lib/crewai/tests/cli/test_config.py

@@ -12,7 +12,7 @@ from crewai.settings import (
     USER_SETTINGS_KEYS,
     Settings,
 )
-from crewai.auth.token_manager import TokenManager
+from crewai_core.token_manager import TokenManager
 
 
 class TestSettings(unittest.TestCase):
@@ -69,7 +69,7 @@ class TestSettings(unittest.TestCase):
         for key in user_settings.keys():
             self.assertEqual(getattr(settings, key), None)
 
-    @patch("crewai.settings.TokenManager")
+    @patch("crewai_core.settings.TokenManager")
     def test_reset_settings(self, mock_token_manager):
         user_settings = {key: f"value_for_{key}" for key in USER_SETTINGS_KEYS}
         cli_settings = {key: f"value_for_{key}" for key in CLI_SETTINGS_KEYS if key != "oauth2_extra"}