Add admin-managed OAuth sign-in flow

[Zetazzz]

Summary

• Add OAuth/OIDC sign-in routes to the GraphQL server using database-backed provider configuration.
• Add admin REST APIs for managing identity providers, including listing providers, updating client/config fields, and rotating client secrets.
• Add app auth settings APIs so admins can control OAuth-related auth behavior such as identity sign-in/sign-up, verified-email requirements, cookie settings, and OAuth error redirects.
• Add module loaders needed by the OAuth flow to discover identity provider, connected account, user auth, and auth settings metadata at runtime.
• Update @constructive-io/oauth with reusable signed state handling and provider/client support used by the server flow.

Behavior

• OAuth providers are read from admin-managed identity provider config.
• New OAuth identities can be gated on verified provider email.
• Existing identities are detected before choosing sign-in vs sign-up.
• OAuth state is signed and time-bound.
• Redirects are constrained to same-origin callback targets.

Follow-ups

• Loader cache invalidation and TTL policy.
• App settings interval parsing.
• App-settings-auth loader refactor.
• API service cache snapshots.
• Env config consolidation for CAPTCHA/upload settings.

Testing

• Not run in this pass.

[pyramation]

why are we making REST routes for things the user can query for via our APIs?

[pyramation]

this is hardcoding a schema... probably not the right path here, either.

[pyramation]

this is the right solution, because it queries for the schema