CBOR value of a threepidsid_pending row. The whole row carries a TTL via
expires_at so a validated-but-unconsumed session self-reaps rather than
leaking.
Result of [create_or_reuse_pending]: the session id to hand the client,
and the freshly minted token when a new message must be sent. A reused
session yields None, signalling no new mail.
Failed-validation ceiling: the session self-destructs once this many wrong
submissions have been counted, so the Nth burns and N-1 are tolerated. Caps
token brute-force (mirrors the device-grant ceiling).