fix(litellm): route ChatGPT OAuth natively

[PurpleCHOIms]

Summary

• switch ChatGPT OAuth model assignments from auth/gpt-* aliases to LiteLLM native chatgpt/gpt-* routes
• generate dynamic LiteLLM config whenever subscription OAuth flags are enabled, even without DECEPTICON_MODEL* overrides
• surface ChatGPT token_invalidated as a credential refresh error instead of a generic no-fallback failure
• update onboard copy, docs, and unit coverage

Verification

• uv run ruff check config/litellm_dynamic_config.py config/litellm_startup.py decepticon/llm/factory.py decepticon/llm/models.py tests/unit/llm/test_factory.py tests/unit/llm/test_litellm_dynamic_config.py tests/unit/llm/test_models.py
• uv run pytest tests/unit/llm/test_factory.py tests/unit/llm/test_models.py tests/unit/llm/test_litellm_dynamic_config.py
• python3 -m py_compile config/litellm_dynamic_config.py config/litellm_startup.py decepticon/llm/models.py decepticon/llm/factory.py
• git diff --check
• go test ./... (clients/launcher)

[PurpleCHOIms]

Superseded by #187, which takes a different architectural direction:

• New shared config/oauth_token_store.py module (atomic write, mtime+size cache, 401 retry) consumed by all six handlers, eliminating per-handler duplication
• config/auth_handler.py extracts the auth/ dispatcher from litellm_startup.py and adds prefix-based routing for both claude-* and gpt-*
• ChatGPT routes through a custom config/codex_chatgpt_handler.py reading ~/.codex/auth.json directly (with rw mount + atomic write-back), avoiding the LiteLLM-native chatgpt provider entirely — so refresh + token rotation is in-process, no docker recreate needed
• Adds auth/gpt-5.4-mini LOW tier (per Codex CLI models.json May 2026)
• Hardens credential detection: vendor-prefix validation on API keys, file-presence check on OAuth so a stale DECEPTICON_AUTH_*=true doesn't poison the fallback chain

Closing in favor of #187. Thanks for the original groundwork that this builds on.