Add GitHub OAuth login with provider registry

Implement OAuth 2.0 login via GitHub as an alternative to email/password.
Uses a provider registry pattern (internal/auth/oauth/) so adding Google
or other providers later requires only a new Provider implementation.

Flow: GET /v1/auth/oauth/github redirects to GitHub, callback exchanges
the code for a user profile, upserts the user + team atomically, and
redirects to the frontend with a JWT token.

Key changes:
- Migration: make password_hash nullable, add oauth_providers table
- Provider registry with GitHubProvider (profile + email fallback)
- CSRF state cookie with HMAC-SHA256 validation
- Race-safe registration (23505 collision retries as login)
- Startup validation: CP_PUBLIC_URL required when OAuth is configured

Not fully tested — needs integration tests with a real GitHub OAuth app
and end-to-end testing with the frontend callback page.

internal/config/config.go

@@ -13,6 +13,11 @@ type Config struct {
 	ListenAddr    string
 	HostAgentAddr string
 	JWTSecret     string
+
+	OAuthGitHubClientID     string
+	OAuthGitHubClientSecret string
+	OAuthRedirectURL        string
+	CPPublicURL             string
 }
 
 // Load reads configuration from a .env file (if present) and environment variables.
@@ -26,6 +31,11 @@ func Load() Config {
 		ListenAddr:    envOrDefault("CP_LISTEN_ADDR", ":8080"),
 		HostAgentAddr: envOrDefault("CP_HOST_AGENT_ADDR", "http://localhost:50051"),
 		JWTSecret:     os.Getenv("JWT_SECRET"),
+
+		OAuthGitHubClientID:     os.Getenv("OAUTH_GITHUB_CLIENT_ID"),
+		OAuthGitHubClientSecret: os.Getenv("OAUTH_GITHUB_CLIENT_SECRET"),
+		OAuthRedirectURL:        envOrDefault("OAUTH_REDIRECT_URL", "https://app.wrenn.dev"),
+		CPPublicURL:             os.Getenv("CP_PUBLIC_URL"),
 	}
 
 	// Ensure the host agent address has a scheme.