fix: harden dangling OAuth policy handling and error classification

[sergey3bv]

Summary

• fail-closed handling for missing policy_id;
• migration cleanup to make FK addition safe;
• regression test coverage update.

Avoid naming corporate partners, customers, or other sensitive external brands in this PR title or body. Use generic descriptors unless a maintainer explicitly approves the public reference.

Motivation

• A follow-up for signer: enforce encrypt/decrypt permissions and add coverage #131 and test(signer): regression test for invalid policy_id handling #132

Related Issue

• Closes chore(auth): decide policy enforcement for missing or dangling oauth_authorizations.policy_id #141

Testing

• cargo test --workspace --verbose
• cargo clippy --workspace --all-targets --all-features -- -D warnings -A deprecated
• cargo fmt --all -- --check
• Manual verification completed

Visuals

• UI/web change with screenshots/video attached
• No visual change
• Visuals and text avoid sensitive external brand or partner names unless explicitly approved

[dcadenas]

The migration still lets a revoked OAuth row reach permission checks as unrestricted access. Fix the active-authorization checks before merge so clearing policy_id to NULL never becomes the full-access path for revoked rows.

[dcadenas]

Keep revoked OAuth rows out before any NULL policy branch can allow access.
This migration sets revoked_at and clears dangling policy_id to NULL, but the later origin lookup and signer reload can still evaluate that row as unrestricted access.
Add revoked_at IS NULL to the active OAuth authorization lookup and make signer permission validation reject any refetched OAuth authorization with revoked_at set.
Please cover both the origin-based HTTP validator and signer validation for a revoked policy_id = NULL row, while preserving active NULL-policy access and valid empty-policy access.