fix(auth): exit immediately on terminal auth denial and unify denial page styles

[fantiu]

Summary

Improves the dws auth login experience when the organization or channel
policy denies CLI access.

1. Exit immediately on terminal denial reasons

When /cli/cliAuthEnabled returns a terminal denial reason, the
browser shows a page with no "apply" button (admin intervention
required), but the CLI was still entering the polling loop that waits
for the user to submit an apply request. This caused the terminal to
hang on ⏳ 等待提交申请中 (Xs/600s) until the 10-minute timeout,
even though the browser already showed a clear terminal error.

After this change, the CLI exits right away with an error message
identical to the text on the HTML page, for the following reasons:

denialReason	Behavior
user_forbidden / user_not_allowed	Exit with "您不在该组织的 CLI 授权人员范围内..."
channel_not_allowed / channel_required	Exit with "当前渠道未获得该组织授权，或组织已开启渠道管控..."
cli_not_enabled (org not enabled yet)	Keep existing polling flow (user can still apply in browser)

Implementation: threaded denialReason through callbackResult and
added an early-return switch before the polling loop in
OAuthProvider.Login. This mirrors the existing behavior in
device_flow.go, so the two login paths are now consistent.

2. Unify denial page styles with the success page

accessDeniedHTML ("无权限访问") and channelDeniedHTML ("渠道未授权")
rendered as small square cards with different typography than
successHTML ("授权成功"), which used a fixed 480x600 vertical card.

All three pages now share the same card dimensions (height: 600px; width: 480px), padding, icon class (.lock-icon), and full PingFang
SC font stack. The message body was also collapsed from two <p>
tags into one, matching the structure of the success page.

3. Remove unused DWS_CHANNEL_CLIENT_ID

The environment variable and its corresponding x-dws-channel-client-id
HTTP header had no observable effect on the MCP backend. Removing it:

• cleans up dws config list output
• drops the header injection logic in resolveIdentityHeaders
• removes the configmeta.Register entry in endpoints.go

DWS_CHANNEL (→ x-dws-channel) is kept unchanged, since it is still
used for channel-scope authorization checks.

Files changed

• internal/auth/oauth_provider.go — early-exit switch for terminal
  denial reasons, carry denialReason on the callback result.
• internal/auth/oauth_helpers.go — restyle accessDeniedHTML and
  channelDeniedHTML to match successHTML.
• internal/app/runner.go — drop DWS_CHANNEL_CLIENT_ID env var and
  the x-dws-channel-client-id header injection.
• internal/auth/endpoints.go — drop DWS_CHANNEL_CLIENT_ID
  registration from configmeta.

Test plan

• dws auth login in an org where the current user is
  userScope=forbidden → CLI exits with the same message shown
  on the "无权限访问" page, no 10-minute hang.
• dws auth login with DWS_CHANNEL=<not-allowed> → CLI exits
  with the "渠道未授权" message.
• dws auth login in an org that has not yet enabled CLI auth
  → browser still shows the apply page, CLI still polls for apply
  submission (behavior unchanged).
• Open the three auth result pages in a browser; confirm they
  render as identical 480×600 vertical cards.
• dws config list no longer shows DWS_CHANNEL_CLIENT_ID;
  DWS_CHANNEL still present.
• make build && make test pass.