[hapoalim] harden WebView auth recovery after OTP

[d0j]

Summary

• start Bank Hapoalim cookie-store polling from the first WebView callback instead of waiting for an official bank request
• flush and re-read the ZenMoney cookie store before auth recovery
• retry cookie-store recovery after WebView close so delayed cookie visibility does not break login
• verify recovered auth by successful /ServerServices/general/accounts?lang=he access instead of requiring immediate SMSESSION visibility
• prefer more specific Bank Hapoalim cookie domains when duplicate auth cookies exist
• add runtime-harness coverage for the actual openWebViewAndInterceptRequest helper path

Root cause

PR #1030 still assumed that the Android WebView bridge would expose auth cookies immediately and that SMSESSION would always be visible at the moment we tried to recover the session.

In practice, two things could still happen:

1. the WebView never produced an intercepted official request, so cookie polling never started;
2. after OTP or after pressing Back, the cookie jar became usable only with a delay, while recovery still made a one-shot decision.

That left the plugin stuck in the same state: the bank page was authenticated, but sync still treated the login as incomplete.

What changed

• Polling now starts from the first WebView callback.
• Cookie-store reads now try to flush cookies first via ZenMoney.saveCookies().
• Recovery after WebView close now retries instead of making a single decision.
• The recovery path no longer depends on immediate SMSESSION visibility; the real success signal is authenticated accounts access.
• Cookie selection from the store is now deterministic and prefers exact host cookies over stale parent-domain entries.

Validation

• src/plugins/hapoalim/__tests__/api.login.test.js
• src/plugins/hapoalim/__tests__/api.runtimeHarness.test.js
• src/plugins/hapoalim/__tests__/index.authFlow.test.js
• yarn build hapoalim
• ts-standard on changed Hapoalim files
• tsc --noEmit
• git diff --check