feat(lite): async wallet open with server failover

Opening an existing lite wallet ran synchronously on the UI thread and used a
single server, so a dead/unreachable lightwalletd server froze startup for the
connect timeout and then stranded the wallet ("disconnected" spinner) — and the
DragonX lite servers are flaky (often several down at once).

Add LiteWalletController::beginOpenExisting() / pumpAsyncOpen(): the open runs on
a background thread (mirroring the sync/broadcast shared-lifetime pattern — it
captures only shared_ptrs + value copies, never `this`), trying the preferred
server first and then every other usable default until one succeeds. The main
thread finalizes the result (flips walletOpen, starts sync) or records the reason.
The rollout gate is still checked up-front on the main thread.

App: auto-open now calls beginOpenExisting() and pumps it each tick, retrying on
a 20s interval so a transient outage self-heals once a server returns; a failed
open surfaces its reason (notification + Network tab) instead of a silent spinner.

Tested: a fake bridge that fails specific servers exercises both
preferred-dead -> fallback-opens and all-dead -> fails-with-reason. Built clean
for full-node, lite, and Windows cross-compile.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

src/app.h

@@ -444,6 +444,7 @@ private:
     // One-shot guard: auto-open an existing lite wallet on the first update() tick (kept off
     // init() so a slow initialize_existing network call doesn't freeze startup before the window).
     bool lite_autoopen_done_ = false;
+    double lite_open_last_attempt_ = 0.0;  // ImGui time of the last async open attempt (retry timer)
     // Reason an existing lite wallet failed to auto-open (e.g. server unreachable). Surfaced in
     // the UI so a stuck "disconnected" state isn't silent; cleared once a wallet opens.
     std::string lite_open_error_;