Browser back after expiry sends OTP via the default email template (client branding lost)

[lukesmmr]

Summary

When the user uses browser back from the timeout error to retry, the styled email input still appears, but the OTP email that follows arrives in the default unstyled template. The client identifier is no longer in scope at OTP-send time even though the form looks branded.

Reproduce

1. Steps 1-3 from issue 1 (reach the timeout error page).
2. Browser back to the styled email input.
3. Submit email.

Actual

OTP delivered using the default email template. Client branding (subject, header, footer) is missing.

Expected

The OTP email retains the original client's template, matching what the user received on the first attempt of the same flow.

Notes

• Sibling problem to Brand error pages with trusted-client CSS injection (where clientId is in scope) #139 but on the email surface, not the error page. After auth_flow deletion, the clientId needed to resolve the email template is gone for the same reason it's gone for error-page CSS.
• Likely depends on the same fix path Brand error pages with trusted-client CSS injection (where clientId is in scope) #139 contemplates (deferring auth_flow deletion, or carrying clientId forward another way).
• The error-page styling half of this symptom is already covered by Brand error pages with trusted-client CSS injection (where clientId is in scope) #139 — flagging only the email-template half here to keep the tickets non-overlapping.