Pulling GitHub into the kernel process

AFAIU, OAuth is supposed to add in a "this app is authorized to use this service" step to using the service through my account. This usually does come with real benefits:

- apps are limited in the API they access (and is curated by the developer rather than users not knowing what is actually necessary)
- additional permissions can be intercepted and requested at application update time (when refreshing their active token)
- dropping permissions doesn't require users to go and do it manually
- if my account secret token is stolen from app A, app B can't use it to access my account because it isn't authorized to do so
- services can pinpoint misbehaving applications or use of deprecated APIs and contact application developers directly

Of course, Fastmail's application-specific passwords allow you to limit which service(s) are available, but since there's no application authentication, stealing the password from offlineimap does grant IMAP access which is…substantial.

Honestly, I think I'd be OK with service-specific passwords that can be authorized every N days through WebAuthn or some other hardware token mediated thing. Though this would mean my automated backups would require some more maintenance though since I'd need to go and touch a Yubikey or whatever to keep its authorization token alive.