feat: interactive PAT setup on first session — eliminate pre-configured secrets

[datasciencemonkey]

Problem

Users must pre-configure a DATABRICKS_TOKEN app secret before deploying. This adds friction and requires managing long-lived credentials outside the app.

Solution

Eliminate the pre-configured PAT entirely. When the user opens a terminal session and no valid PAT exists:

1. Terminal shows a setup prompt explaining the coding agent needs credentials to act on their behalf
2. User creates a short-lived PAT in the Databricks UI (direct link provided)
3. User pastes it into the terminal
4. App validates the PAT (calls current_user.me() to confirm it works)
5. Rotation starts — original token rotated out in 10 minutes
6. Rotated PAT persisted to secret scope (survives restart)

Key Behaviors

• Cold start (no PAT): Prompt user to paste a PAT
• Warm start (persisted PAT from previous rotation): Validate it still works, resume rotation
• Stale PAT (expired/revoked): Detect failure, re-prompt user
• Not just availability — usability: Always validate the PAT works before starting a session

UX

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  Databricks CLI is not configured.
  
  To allow the coding agent to act on your behalf,
  create a short-lived token and paste it here.
  
  1. Open: https://{workspace}#setting/account/token
  2. Create a token (any lifetime — it will be 
     auto-rotated every 10 minutes)
  3. Paste it below
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Changes

• Remove DATABRICKS_TOKEN from app.yaml (no longer required)
• Add /api/configure-pat endpoint (validate + start rotation)
• Add /api/pat-status endpoint (check if PAT is valid)
• Frontend: show setup prompt when PAT is missing or invalid
• PATRotator: validate PAT usability before rotation, re-prompt on failure

Depends On

• feat: auto-rotate short-lived PATs for zero-friction auth #81 (PAT auto-rotation)