feat(oidc): backend-mediated OIDC login + session cookies + cli config

Adds the OpenID Connect login flow Dialectic.Frontend will drive. Pattern
mirrors Fabric.Backend.Center: SPA → /api/auth/oidc/start → IdP →
/api/auth/oidc/callback → 302 to SPA with one-time ticket in URL fragment
→ SPA POST /api/auth/oidc/exchange → HttpOnly session cookie set.

What's added:

  - internal/oidc/service.go — runtime OIDC service:
    * BuildAuthorizeURL (PKCE S256 + random state, 10min ttl)
    * HandleCallback (token exchange + ID token verify + ticket mint, 60s ttl)
    * ExchangeTicket (ticket → session JWT, HS256 24h)
    * VerifySession (cookie validation)
    * GetConfig/SetConfig with sync.Map-backed state/ticket stores
    * SweepExpired (call from background goroutine; clears stale entries)
  - internal/db/migrations/004_oidc_config.sql — single-row oidc_config
    table (issuer/client_id/client_secret/redirect_uri/post_login_redirect/
    scopes/enabled). Runtime-mutable via dialectic-cli.
  - internal/httpapi/handlers/auth.go — 5 endpoints:
    GET  /api/auth/oidc/status   — { enabled }
    GET  /api/auth/oidc/start    — 302 to IdP
    GET  /api/auth/oidc/callback — IdP returns; we 302 to SPA with ticket
    POST /api/auth/oidc/exchange — ticket → cookie + user
    GET  /api/auth/me            — current session user (401 if anon)
    POST /api/auth/logout        — clears cookie
  - internal/auth: replaces the OIDCBrowser Phase-2C stub with one that
    reads the session cookie via SessionVerifier; keeps dev-bypass
    behind cfg.OIDCOnly gate (set OIDC_ONLY=true in prod to disable
    dev-bypass entirely)
  - cmd/dialectic-cli/main.go — new binary; subcommand
    'config oidc [--issuer ... --client-id ... --client-secret ...
                  --callback-url ... --enabled true|false]'
    Runs against same DB the backend uses; reachable via
    'docker exec dialectic-backend dialectic-cli config oidc ...'
  - Dockerfile: build both binaries; put on PATH for docker exec

Config:

  - SESSION_SIGNING_KEY env: required in prod, ephemeral random in dev.
    HS256 secret for session JWTs. Stable across restarts (rotation
    invalidates every session — kill switch).
  - OIDC_ONLY env: 'true' disables the dev-bypass path entirely; use
    in prod once OIDC is configured.
  - OIDC_ISSUER + OIDC_CLIENT_ID env are no longer required at boot —
    they're advisory bootstrap values for the oidc_config DB row.

Deps:
  - github.com/coreos/go-oidc/v3 (discovery + JWKS verify)
  - golang.org/x/oauth2 (token exchange + PKCE)
  - github.com/golang-jwt/jwt/v5 (session JWT)
  - Bumped go.mod toolchain to 1.25.

Pairs with Dialectic.Frontend (next commit) which removes the
/agents/:id admin page and adds the login button + /oidc/callback
SPA route + AuthProvider that talks to these new endpoints.

internal/auth/auth.go

@@ -37,6 +37,8 @@ const (
 type Caller struct {
 	Kind  CallerKind
 	ID    string   // agentId for CallerAgent; userId for CallerUser; key-name for CallerSystem
+	Email string   // CallerUser only; populated from OIDC id_token claim
+	Name  string   // CallerUser only; display name from OIDC
 	Roles []string // populated for CallerUser (from JWT claims); empty otherwise
 }
 
@@ -98,28 +100,58 @@ func AgentAPIKey(db *sqlx.DB, pepper string) func(http.Handler) http.Handler {
 	}
 }
 
-// OIDCBrowser middleware (Phase 2C stub):
-//   - Dev mode + `x-dev-bypass: <token>` header → admit as a fake user.
-//   - Otherwise: 401 with a hint pointing to the (not-yet-wired)
-//     Keycloak redirect path. The real JWKS-verifying middleware lands
-//     when the frontend is wired up; until then, browser callers can
-//     only reach the API via the dev bypass.
-func OIDCBrowser(devMode bool, devBypassToken string) func(http.Handler) http.Handler {
+// SessionVerifier is the contract OIDCBrowser uses to validate a
+// session JWT (kept as an interface so this package doesn't depend on
+// internal/oidc — internal/oidc.Service satisfies it).
+type SessionVerifier interface {
+	VerifySession(raw string) (*SessionClaims, error)
+}
+
+// SessionClaims is the projection of OIDC user claims we care about.
+// Mirrors internal/oidc.UserClaims (avoid cycle via this duplicate +
+// adapter in routes.go).
+type SessionClaims struct {
+	Sub   string
+	Email string
+	Name  string
+}
+
+// OIDCBrowser middleware (v0.3.0): looks for our session cookie set
+// by /api/auth/oidc/exchange; falls back to x-dev-bypass in dev mode
+// when OIDC isn't configured yet. Cookie name is fixed to
+// "dialectic_session" — keep in sync with handlers/auth.go.
+func OIDCBrowser(verifier SessionVerifier, devMode bool, devBypassToken string, oidcOnly bool) func(http.Handler) http.Handler {
+	const cookieName = "dialectic_session"
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if devMode && devBypassToken != "" {
+			// 1. Cookie session (production path).
+			if c, err := r.Cookie(cookieName); err == nil && c.Value != "" && verifier != nil {
+				if claims, err := verifier.VerifySession(c.Value); err == nil {
+					ctx := WithCaller(r.Context(), Caller{
+						Kind:  CallerUser,
+						ID:    claims.Sub,
+						Email: claims.Email,
+						Name:  claims.Name,
+					})
+					next.ServeHTTP(w, r.WithContext(ctx))
+					return
+				}
+			}
+			// 2. Dev bypass — only when OIDC_ONLY isn't enforced.
+			if !oidcOnly && devMode && devBypassToken != "" {
 				if subtleEqual(r.Header.Get("x-dev-bypass"), devBypassToken) {
 					ctx := WithCaller(r.Context(), Caller{
 						Kind:  CallerUser,
 						ID:    "dev-operator",
+						Email: "dev-operator@localhost",
+						Name:  "dev-operator (bypass)",
 						Roles: []string{"dialectic-admin"},
 					})
 					next.ServeHTTP(w, r.WithContext(ctx))
 					return
 				}
 			}
-			// Production path goes through Keycloak — Phase 4.
-			http.Error(w, "oidc login required (Phase 4: not yet wired)", http.StatusUnauthorized)
+			http.Error(w, "oidc login required", http.StatusUnauthorized)
 		})
 	}
 }