Add OAuth grants for per-device session revocation

- OAuthGrant model tracks each client authorization, tied to the
  account session (issuer_session) that issued it
- OAuth authorize creates grant + code together
- Client apps store grant_token in session, verify via account's
  internal /auth/internal/verify-grant endpoint (Redis-cached 60s)
- Account logout revokes only grants from that device's session
- Replaces iframe-based logout with server-side grant revocation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

models/__init__.py

@@ -2,6 +2,7 @@ from .user import User
 from .kv import KV
 from .magic_link import MagicLink
 from .oauth_code import OAuthCode
+from .oauth_grant import OAuthGrant
 from .menu_item import MenuItem
 
 from .ghost_membership_entities import (