Add GitHub OAuth login with provider registry

Implement OAuth 2.0 login via GitHub as an alternative to email/password.
Uses a provider registry pattern (internal/auth/oauth/) so adding Google
or other providers later requires only a new Provider implementation.

Flow: GET /v1/auth/oauth/github redirects to GitHub, callback exchanges
the code for a user profile, upserts the user + team atomically, and
redirects to the frontend with a JWT token.

Key changes:
- Migration: make password_hash nullable, add oauth_providers table
- Provider registry with GitHubProvider (profile + email fallback)
- CSRF state cookie with HMAC-SHA256 validation
- Race-safe registration (23505 collision retries as login)
- Startup validation: CP_PUBLIC_URL required when OAuth is configured

Not fully tested — needs integration tests with a real GitHub OAuth app
and end-to-end testing with the frontend callback page.

db/queries/oauth.sql

@@ -0,0 +1,7 @@
+-- name: InsertOAuthProvider :exec
+INSERT INTO oauth_providers (provider, provider_id, user_id, email)
+VALUES ($1, $2, $3, $4);
+
+-- name: GetOAuthProvider :one
+SELECT * FROM oauth_providers
+WHERE provider = $1 AND provider_id = $2;

db/queries/users.sql

@@ -8,3 +8,8 @@ SELECT * FROM users WHERE email = $1;
 
 -- name: GetUserByID :one
 SELECT * FROM users WHERE id = $1;
+
+-- name: InsertUserOAuth :one
+INSERT INTO users (id, email)
+VALUES ($1, $2)
+RETURNING *;