feat(worker): real ZitadelAuthProvider (refresh-token grant, auth-code+PKCE)

Headless refresh-token -> access-token exchange via OIDC discovery + token
endpoint. Cached to expiry (60s margin), thread-safe, persists rotated refresh
tokens, graceful null on invalid_grant/network errors. Wired into DI when
online_inbox is enabled. Interactive PKCE login (UI) still pending the
registered redirect URI. 7 tests, stubbed HttpMessageHandler.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

src/ClaudeDo.Worker/Program.cs

@@ -156,9 +156,10 @@ if (cfg.OnlineInbox.Enabled)
 {
     OnlineInboxApiClient.ValidateBaseUrl(cfg.OnlineInbox.ApiBaseUrl);
     builder.Services.AddSingleton(cfg.OnlineInbox);
-    builder.Services.AddSingleton<IOnlineAuthProvider, StaticTokenAuthProvider>();
+    builder.Services.AddHttpClient();
 #pragma warning disable CA1416 // ClaudeDo.Worker is Windows-only; DPAPI is fine here.
     builder.Services.AddSingleton<OnlineTokenStore>();
+    builder.Services.AddSingleton<IOnlineAuthProvider, ZitadelAuthProvider>();
 #pragma warning restore CA1416
     builder.Services.AddHttpClient<IOnlineInboxApi, OnlineInboxApiClient>(client =>
     {