fix: sidecar retries dead refresh token indefinitely after invalid_grant

[tumberger]

Problem

When the OIDC refresh token becomes invalid (expired or revoked), the sidecar's heartbeat loop retries the same dead refresh token every 30 seconds indefinitely. The stale session remains in the keychain, so the problem persists until the user manually runs kontext login.

Observed logs:

sidecar: heartbeat: unavailable: token refresh: token expired and refresh failed: refresh token: oauth2: "invalid_grant"

Root Cause

newSessionTokenSource in internal/run/run.go has no recovery path when RefreshSession returns invalid_grant. The error is returned, but the stale session is never cleared — so the next heartbeat retries with the same dead token.

Fix

1. Detect invalid_grant and stop retrying
2. Clear the stale session from keychain
3. Log a message telling the user to run kontext login