TW-5059: fix WrapError request ID false-match and classification gaps

[qasim-nylas]

Summary

• Fix two bugs in WrapError where APIError instances with status 401/403/404 fell through to string-matching on err.Error(), which since PR TW-4937: surface API request ID in CLI error output #80 includes [request_id: ...] — a request ID containing "502" or "429" as a substring could misclassify the error, and all string-match paths silently dropped the request ID
• Extend the structured switch to handle 401 (auth failed), 403 (permission denied), 404 (not found), and a default catch-all so every APIError is classified by status code with RequestID preserved
• Remove redundant User-Agent header set in doJSONRequestInternalWithRetry (already set by doRequest/doRequestNoRetry)

Test plan

• TestWrapError_RequestIDDoesNotFalseMatchStatusCode — regression test proving request IDs containing "502", "429", "500" don't cause misclassification
• TestWrapError_APIErrorStatusClassification — expanded with 401, 403, 404 cases
• TestWrapError_PropagatesRequestID — all status code paths carry request ID
• TestWrapError_GenericForbiddenFallsThrough — generic 403 gets permission denied, not scope-specific suggestions
• TestHTTPClient_UserAgent — User-Agent still sent on all requests after removing redundant set
• make ci-full passes (4 pre-existing scheduler 404 failures unrelated to this change)

Related docs

• https://cli.nylas.com/docs/commands/auth-status — error output references this command in 401 suggestions
• https://cli.nylas.com/docs/commands/auth-config — error output references this command in 401 suggestions
• https://cli.nylas.com/docs/commands/doctor — affected by error classification changes