fix: stop coupling grant lifetime to session approval window

[tnunamak]

Summary

• Stop passing the session relay's expiresAt as the grant's expiresAt
• Grants now default to expiresAt=0 (no automatic time-based expiry), living until explicitly revoked

Problem

The grant flow was deriving expiresAt from flowState.session.expiresAt — which is the session approval window set by the session relay (typically ~2 hours). This value was being passed to createGrant(), causing grants to expire after ~2 hours even though the user intended a standing authorization.

These are conceptually different lifetimes:

• Session expiresAt: how long the user has to click "Allow" (interactive approval window)
• Grant expiresAt: how long the builder can access data (authorization lifetime)

This matches OAuth's separation: the interactive approval session (short-lived, consumed once) is distinct from the resulting authorization/consent (long-lived, revocable). The session's expiry should only gate whether the consent flow is still valid — which the flow already enforces before grant creation.

Per the protocol spec, expiresAt=0 means no automatic time-based expiry; grants remain valid until explicitly revoked (or until any future policy-based expiry is introduced).

Changes

• use-grant-flow.ts: Remove expiresAt derivation from session; don't pass it to createGrant()
• use-grant-flow.test.tsx: Update assertions to match (no expiresAt in createGrant calls)

Test plan

• Verified 3 test failures are pre-existing on main (localStorage mock issue, unrelated)
• Manual: initiate a grant flow → verify grant is created without short expiration
• Verify grant persists beyond 2 hours and is accessible until revoked