Handle Codex Pro Lite plan responses and OAuth fallback edge cases

[ratulsarna]

Fixes #691 and #709.

Codex started returning new plan_type values like prolite, which left a few different paths in CodexBar out of sync. This change teaches the Codex-specific surfaces to render those plan values consistently as Pro Lite without pushing provider-specific behavior into the shared formatter.

It also makes the OAuth usage decoder more tolerant of optional payload drift, but keeps auto mode honest about when that partial decode is no longer good enough. If OAuth loses the 5h/session lane because a window payload is malformed, we now fall back to the CLI. If a valid session lane still survives after reconciliation, including the reversed weekly/session shape, we keep the OAuth result instead of discarding usable data.

The test coverage here is intentionally broad because the blast radius crosses a few boundaries: OAuth decoding, dashboard parsing, menu and CLI rendering, user-facing error sanitization, and the CLI fallback path when Codex RPC chokes on newer plan variants.

[ratulsarna]

@yossy6028 and @sdewell : it would be great if you could give this branch a shot locally and see if your $100 plan works.