fix: detect OAuth/device-code denial in CLI and wizard polling

[kaiweijw]

Summary

• [Bug] [CLI Wizard] CLI polling does not stop after device-code authorization is denied #600 (full): Cap the CLI device-code polling loop at the response's expires_at deadline (falls back to expires_in, then a 15-minute default). Previously the loop had no exit condition, so OpenAI Codex's 403-on-deny was treated as "still pending" forever and the user had to Ctrl+C. Also bails after 30 consecutive poll errors (~2.5 min at the default 5s interval) with a network-hint message.
• [Bug] [CLI Wizard] Local wizard page does not sync final state after OAuth success or cancellation #599 (partial frontend): Extract OAuth polling into auth-flow-polling.ts with dependency injection so it can be unit-tested directly. Recognize revoked / failed / expired as terminal failure statuses (forward-compat for the backend follow-up). Replace the bland 5-minute deadline message with one that tells the user to cancel and re-run if they canceled on the provider page.

closes #600

Partial fix toward #599: this PR adds the frontend half. Once the backend half lands (see follow-up note), the wizard will exit immediately on user-denial instead of waiting the full 5 minutes.

Follow-up: #599 backend half (separate PR)

backend/src/handlers/user_tokens.rs::generic_oauth_callback_impl currently redirects to /?error=access_denied on user denial without touching the placeholder UserApiKey. The placeholder stays in pending_auth forever until TTL. Follow-up work:

• Read the OAuth state to look up the placeholder UserApiKey/UserService bound to the pending OAuth.
• Mark them revoked (or a new denied status) so the wizard's polling exits immediately via the new terminal-status branch.
• Audit-log the deny path.

Test plan

• cargo test -p nyxid-cli (3 new parser tests + 277 existing + freshness)
• cd frontend && npm run test (533 tests including the new auth-flow-polling lifecycle tests)
• cargo test -p nyxid-cli --test wizard_bundle_freshness
• Manual [Bug] [CLI Wizard] CLI polling does not stop after device-code authorization is denied #600: nyxid service add llm-openai-codex --device-code --label "Deny test", click cancel on the provider page, confirm the CLI exits cleanly within ~15 minutes (the default deadline) instead of looping forever. With network unplugged, confirm it bails within ~2.5 minutes.
• Manual [Bug] [CLI Wizard] Local wizard page does not sync final state after OAuth success or cancellation #599 (partial): a 5-minute OAuth wait now shows the new actionable message ("If you canceled on the provider page or it's taking longer than expected, cancel and re-run") instead of the bland old one. Once the backend follow-up lands, the wizard will exit within ~2 seconds of denial.