codex Use issuer URL in device auth prompt link

Summary

When using device-code login with a custom issuer (--experimental_issuer), Codex correctly uses that issuer for the auth flow — but the terminal prompt still told users to open the default OpenAI device URL (https://auth.openai.com/codex/device). That’s confusing and can send users to the wrong domain (especially for enterprise/staging issuers). This PR updates the prompt (and related URLs) to consistently use the configured issuer. 🎯

🔧 What changed

🔗 Device auth prompt link now uses the configured issuer (instead of a hard-coded OpenAI URL)
🧭 Redirect callback URL is derived from the same issuer for consistency
🧼 Minor cleanup: normalize the issuer base URL once and reuse it (avoids formatting quirks like trailing /)

🧪 Repro + Before/After

▶️ Command

codex login --device-auth --experimental_issuer https://auth.example.com

❌ Before (wrong link shown)

1. Open this link in your browser and sign in to your account
   https://auth.openai.com/codex/device

✅ After (correct link shown)

1. Open this link in your browser and sign in to your account
   https://auth.example.com/codex/device

Full example output (same as before, but with the correct URL):

Welcome to Codex [v0.72.0]
OpenAI's command-line coding agent

Follow these steps to sign in with ChatGPT using device code authorization:

1. Open this link in your browser and sign in to your account
   https://auth.example.com/codex/device

2. Enter this one-time code (expires in 15 minutes)
   BUT6-0M8K4

Device codes are a common phishing target. Never share this code.

✅ Test plan

🟦 codex login --device-auth (default issuer): output remains unchanged
🟩 codex login --device-auth --experimental_issuer https://auth.example.com:
- prompt link points to the issuer ✅
- callback URL is derived from the same issuer ✅
- no double slashes / mismatched domains ✅