feat(auth): admin OIDC settings page

New admin page /settings/oidc to configure the OIDC provider (issuer,
client id/secret, redirect/callback URL, scopes, post-login redirect).
Prominently shows the callback URL to register at the IdP, current
status/source, and the read-only deploy-level OIDC-only flag. Secret
is write-only (blank = keep). Sidebar entry for admins.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/components/Sidebar.tsx

@@ -41,6 +41,7 @@ export default function Sidebar({ user, onLogout }: Props) {
     ...(user.is_admin ? [
       { to: '/users', icon: '👥', label: 'Users' },
       { to: '/roles', icon: '🔐', label: 'Roles' },
+      { to: '/settings/oidc', icon: '🪪', label: 'OIDC' },
     ] : []),
   ] : [
     { to: '/monitor', icon: '📡', label: 'Monitor' },