Register Entra app via secretless device-code bootstrap

AADSTS700016 came from the register flow sending the configured
Oidc:ClientId (still a placeholder) as the auth client. The desktop
reference app never needs config: it bootstraps with the first-party
"Microsoft Graph Command Line Tools" public client (14d82eec-...) via
MSAL interactive, which exists in every tenant.

Replicate that for the web app. A server can't do MSAL loopback and the
bootstrap client's redirect URIs don't include /connect/callback, so use
the OAuth 2.0 device authorization grant instead — the web-equivalent of
the desktop interactive flow:

- Add EntraDeviceCodeFlow: POST /devicecode then poll /token with the
  bootstrap client. No backing app, no client id/secret, no redirect URI.
- Profiles "Register in Entra" now shows the verification URL + user code
  and polls until the admin signs in, then calls AppRegistrationService
  to create the per-client app and adopts its appId.
- Remove the dead /connect/register-initiate endpoint and the
  IsRegistration branch from the callback (connect flow only now).

The client-tenant register/connect flows are now fully secretless. The
Oidc:* config is used only by the toolbox's own sign-in (unchanged).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Program.cs

@@ -122,6 +122,7 @@ builder.Services.AddSingleton(new AuditRepository(Path.Combine(dataFolder, "audi
 // ── Auth infrastructure ───────────────────────────────────────────────────────
 builder.Services.AddSingleton<IUserService, UserService>();
 builder.Services.AddSingleton<IOAuthFlowCache, OAuthFlowCache>();
+builder.Services.AddSingleton<IEntraDeviceCodeFlow, EntraDeviceCodeFlow>();
 builder.Services.AddHttpClient<ITokenRefreshService, TokenRefreshService>();
 builder.Services.AddHttpClient<IAppRegistrationService, AppRegistrationService>();
 builder.Services.AddScoped<GraphClientFactory>();