thv llm: OIDC token lifecycle and thv llm token command

[yrobla]

Context

Part of #5016 (RFC: stacklok/toolhive-rfcs#70). Depends on #5027 (foundation).

Scope

• Token source implementing a three-tier strategy:
  1. In-memory cache
  2. Secrets-provider refresh token
  3. Browser OIDC+PKCE flow
• Preemptive refresh 30s before expiry
• Access tokens held in memory only — never written to disk or logged
• Refresh tokens stored via ToolHive's existing secrets provider (OS keyring / encrypted file fallback), using ScopeLLM
• thv llm token command — prints a fresh JWT to stdout (all other output on stderr), suitable for use as apiKeyHelper or auth.command

Acceptance Criteria

• AT: thv llm token prints a fresh JWT to stdout with all other output on stderr
• Unit: thv llm token exits with an error in non-interactive mode when no cached or refreshable token exists — it never launches a browser flow
• Unit: Token source uses the three-tier strategy with preemptive refresh 30s before expiry (tested with mocked OIDC provider and secrets provider)
• Access tokens are held in memory only and never written to disk or logged
• Refresh tokens are stored via ToolHive's existing secrets provider

Dependencies

• thv llm: package skeleton, cobra commands, and config management #5027 (foundation: package skeleton, config types)

References

• Parent issue: thv llm subcommand for LLM gateway authentication #5016
• RFC: RFC-0070: thv llm subcommand for LLM gateway authentication toolhive-rfcs#70