feat: add OIDC login with account linking

Add OpenID Connect as an alternative login method. Users can sign in
via an external identity provider (e.g., Authentik, Keycloak, Google).

- OIDC settings configured in admin UI (discovery URL, client ID/secret,
  redirect URI, button label, enable/disable toggle)
- PKCE-based authorization code flow with state and nonce validation
- Admin can manually link any user's OIDC identity (sub/issuer fields)
- Self-service linking: logged-in users can link/unlink their own account
- SSO button conditionally shown on login page when OIDC is enabled
- Username in header now clickable to open profile for all users
- Callback errors/success communicated via URL hash fragments

src/db/database.js

@@ -139,6 +139,17 @@ db.exec(`
   )
 `);
 
+// Migration: add OIDC columns to users
+const usersInfo2 = db.prepare('PRAGMA table_info(users)').all();
+if (!usersInfo2.some(c => c.name === 'oidc_sub')) {
+  db.exec(`
+    ALTER TABLE users ADD COLUMN oidc_sub TEXT;
+    ALTER TABLE users ADD COLUMN oidc_issuer TEXT;
+    CREATE UNIQUE INDEX IF NOT EXISTS idx_users_oidc ON users(oidc_issuer, oidc_sub)
+      WHERE oidc_sub IS NOT NULL;
+  `);
+}
+
 // Migration: create settings table
 db.exec(`
   CREATE TABLE IF NOT EXISTS settings (