Remove OAuth2 pre-nonce state and PKCE transient fallbacks

[chubes4]

Problem

OAuth2Handler still falls back to provider-wide transient keys created before nonce-keyed state/PKCE storage.

Code references on origin/main (008878b6):

• inc/Core/OAuth/OAuth2Handler.php:130 — fallback for states created before nonce-keyed storage.
• inc/Core/OAuth/OAuth2Handler.php:254 — fallback for PKCE verifiers created before nonce-keyed storage.

Why this matters

OAuth state and PKCE verifiers are short-lived. The migration window for old transient keys should be over before 1.0. Keeping provider-wide fallbacks preserves a weaker concurrency contract and makes the current nonce-keyed contract less crisp.

Acceptance criteria

• Remove reads from datamachine_{$provider_key}_oauth_state as a fallback for nonce-keyed state.
• Remove reads from datamachine_{$provider_key}_pkce_verifier as a fallback for nonce-keyed PKCE verifiers.
• Keep cleanup of old keys only if useful and harmless, or delete that cleanup after confirming no current write path uses those keys.
• Tests cover concurrent OAuth flows by provider+state and prove mismatched state/verifier pairs fail closed.

AI assistance

• AI assistance: Yes
• Tool(s): OpenCode (GPT-5.5)
• Used for: 1.0 technical-debt audit and issue drafting; Chris requested tracking issues for the findings.