FCM: drop device tokens on NotRegistered / InvalidRegistration responses

[aruokhai]

Problem

cosigner-runtime/src/cosigner/handlers/device_token.rs persists tokens but never deletes them when FCM signals they're dead:

• No path responds to FCM's UNREGISTERED / INVALID_REGISTRATION / NOT_FOUND error codes returned from a send.
• No client-side DeleteDeviceToken RPC for the app to call on logout.
• Dead tokens age out only via the 60-day MAX_TOKEN_AGE_SECS cap.

Impact

Low. Pushes to dead tokens fail silently and are logged at warn level; nothing cascades. But tokens for uninstalled apps linger for up to 60 days, the per-user token list grows beyond the active devices, and push_vtxo_received wastes a network round-trip per dead token on every receive.

Suggested fix

Two parts:

1. Server-side: in fcm_client.rs::send_to_token, when the response indicates UNREGISTERED / INVALID_REGISTRATION / NOT_FOUND, propagate that up so push_vtxo_received in the actor removes the row from state.device_tokens + sled. Make this best-effort — push delivery to other tokens shouldn't be gated on the cleanup.
2. Client-side (optional): a DeleteDeviceToken RPC for the app to call on explicit logout / reset.

Discovered during PR #32 review.