fix(auth): make external-login import validation non-destructive

The onboarding import flow validated each approved login by performing a
live OAuth token *refresh* and rolled the import back (revoked the trusted
source) if that refresh failed. This caused two real problems:

1. OAuth refresh tokens are single-use. The probe rotated the source's
   refresh token on the provider's servers and then discarded the rotated
   result (refresh was called with no jcode account label, so nothing was
   persisted). This could burn the original tool's login too.

2. Any transient/expired-token hiccup (e.g. Claude Code creds with an empty
   refresh token, or an already-rotated Codex token) silently reverted the
   import, so /model then showed every Anthropic/OpenAI route as
   'x no credentials' with no explanation.

Validation is now a non-destructive presence check: we trust the source and
confirm reusable credentials exist. Expired tokens are still imported (they
refresh lazily and persist at request time, or the user runs /login) and we
surface a 'token expired, will refresh on first use' note instead of failing.