feat(identity-wallet): implement start_pds_auth command
Implements OAuth PKCE+DPoP authentication to an arbitrary PDS endpoint.
The command:
1. Validates ClaimState is populated with DID and PDS URL
2. Discovers OAuth metadata from the PDS
3. Generates PKCE verifier/challenge and CSRF state
4. Gets or creates DPoP keypair
5. Calls PDS PAR endpoint with DID as login_hint
6. Opens Safari for user authorization
7. Awaits deep-link callback with authorization code
8. Exchanges code for tokens with nonce retry support
9. Creates OAuthClient pointing to the PDS
10. Stores client in ClaimState for use by subsequent commands
11. Emits pds_auth_ready event to frontend
Token exchange includes nonce retry logic following the same pattern as
the relay OAuth flow in oauth.rs, handling use_dpop_nonce 400 responses.
Follows existing patterns from start_oauth_flow in oauth.rs and reuses
all existing OAuth infrastructure (PKCE, DPoP, deep-link handling).
Tests: Unit tests for error cases (Unauthorized when ClaimState empty)
Build: cargo check succeeds, cargo fmt applied, cargo clippy clean