BUG: Rejected tool call lands query in 'done' phase but timeout lands it in 'error' phase

[hbachala]

Description

When an approval-required tool call is denied, the resulting query phase differs depending on how it was denied:

Denial method	Query phase	A2ATask status
POST /approval {"action":"rejected"}	done	failed
Timeout (no approval submitted)	error	failed

Both cases represent "approval was denied." The A2ATask ends in failed in both cases, but the Query resource phase is inconsistent — operators monitoring for failed approvals must check two different phases.

Steps to Reproduce

Reject path:

1. Submit a query that triggers an approval-required tool
2. Wait for input-required
3. curl -X POST .../v1/queries/$QNAME/approval -d '{"action":"rejected"}'
4. Observe: query phase → done, LLM generates a "not approved" acknowledgement response

Timeout path:

1. Submit a query that triggers an approval-required tool (use a short timeout, e.g. qa-delete-database has 30s)
2. Wait for input-required
3. Do NOT approve — wait for timeout to expire
4. Observe: query phase → error

Expected

Both cases should result in the same query phase (either both error or both done). Since rejection is intentional and timeout is a failure condition, error for timeout and done for explicit reject may be defensible — but it should be documented and consistent.

Actual

done for explicit reject, error for timeout — same A2ATask failed status, different Query phase.

Context

Discovered during HITL QA regression testing on feat/hitl-tool-calls-apply (2026-06-17). All 4 functional test scenarios (approve, reject, timeout, no-approval tool) passed correctly.