BUG: Migration reports success when source account (G1) has no valid OAuth token

[aakifshamsi]

Summary

After revoking OAuth access to stop the data-loss cleanup job, migration workflows continued reporting success. There is no early check that the source account token is valid before beginning migration work.

Reproduction

1. Revoke app access for G1 (source account) via Google Account → Security → Third-party apps
2. Trigger a migration workflow
3. Observe: workflow reports "success" or does not fail fast with a clear auth error

Root Cause

• get_token() in migrate.py fetches a token from the CF Worker. If the Worker has a cached/stale token or returns a token that has been revoked at Google's side, the script does not validate it before starting work.
• The preflight check in cleanup.py calls /profile to verify identity, but migrate.py has no equivalent — it proceeds immediately to listing labels/messages.
• A revoked token will cause individual Gmail API calls to fail with 401, but by then the workflow has already emitted "running" signals that look like progress.

Expected Behaviour

Migration should fail fast at startup with a clear message:

FATAL: Source account token is invalid or revoked. Re-auth at {WORKER_URL}/auth/{SOURCE_USER}

Fix Required

Add a preflight check to migrate.py (same pattern as cleanup.py):

• Call /profile with the source token immediately after acquiring it
• If 401 or profile email doesn't match GMAIL_SOURCE_USER, exit with FATAL before any work begins
• Same check for destination token(s)