feat: openai codex support (#292)

* feat(web): add provider oauth management ui

* feat: add OAuth callback support on port 1455

* feat: enhance reasoning effort options and support for OpenAI Codex OAuth

* feat: update twilight-ai dependency to v0.3.4

* refactor: promote openai-codex to first-class client_type, remove auth_type

Replace the previous openai-responses + metadata auth_type=openai-codex-oauth
combo with a dedicated openai-codex client_type. OAuth requirement is now
determined solely by client_type, eliminating the auth_type concept from the
LLM provider domain entirely.

- Add openai-codex to DB CHECK constraint (migration 0047) with data migration
- Add ClientTypeOpenAICodex constant and dedicated SDK/probe branches
- Remove AuthType from SDKModelConfig, ModelCredentials, TriggerConfig, etc.
- Simplify supportsOAuth to check client_type == openai-codex
- Add conf/providers/codex.yaml preset with Codex catalog models
- Frontend: replace auth_type selector with client_type-driven OAuth UI

---------

Co-authored-by: Acbox <acbox0328@gmail.com>

internal/db/sqlc/llm_provider_oauth.sql.go

@@ -0,0 +1,163 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.30.0
+// source: llm_provider_oauth.sql
+
+package sqlc
+
+import (
+	"context"
+
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const deleteLlmProviderOAuthToken = `-- name: DeleteLlmProviderOAuthToken :exec
+DELETE FROM llm_provider_oauth_tokens WHERE llm_provider_id = $1
+`
+
+func (q *Queries) DeleteLlmProviderOAuthToken(ctx context.Context, llmProviderID pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteLlmProviderOAuthToken, llmProviderID)
+	return err
+}
+
+const getLlmProviderOAuthTokenByProvider = `-- name: GetLlmProviderOAuthTokenByProvider :one
+SELECT id, llm_provider_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, created_at, updated_at FROM llm_provider_oauth_tokens WHERE llm_provider_id = $1
+`
+
+func (q *Queries) GetLlmProviderOAuthTokenByProvider(ctx context.Context, llmProviderID pgtype.UUID) (LlmProviderOauthToken, error) {
+	row := q.db.QueryRow(ctx, getLlmProviderOAuthTokenByProvider, llmProviderID)
+	var i LlmProviderOauthToken
+	err := row.Scan(
+		&i.ID,
+		&i.LlmProviderID,
+		&i.AccessToken,
+		&i.RefreshToken,
+		&i.ExpiresAt,
+		&i.Scope,
+		&i.TokenType,
+		&i.State,
+		&i.PkceCodeVerifier,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getLlmProviderOAuthTokenByState = `-- name: GetLlmProviderOAuthTokenByState :one
+SELECT id, llm_provider_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, created_at, updated_at FROM llm_provider_oauth_tokens WHERE state = $1 AND state != ''
+`
+
+func (q *Queries) GetLlmProviderOAuthTokenByState(ctx context.Context, state string) (LlmProviderOauthToken, error) {
+	row := q.db.QueryRow(ctx, getLlmProviderOAuthTokenByState, state)
+	var i LlmProviderOauthToken
+	err := row.Scan(
+		&i.ID,
+		&i.LlmProviderID,
+		&i.AccessToken,
+		&i.RefreshToken,
+		&i.ExpiresAt,
+		&i.Scope,
+		&i.TokenType,
+		&i.State,
+		&i.PkceCodeVerifier,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const updateLlmProviderOAuthState = `-- name: UpdateLlmProviderOAuthState :exec
+INSERT INTO llm_provider_oauth_tokens (llm_provider_id, state, pkce_code_verifier)
+VALUES (
+  $1,
+  $2,
+  $3
+)
+ON CONFLICT (llm_provider_id) DO UPDATE SET
+  state = EXCLUDED.state,
+  pkce_code_verifier = EXCLUDED.pkce_code_verifier,
+  updated_at = now()
+`
+
+type UpdateLlmProviderOAuthStateParams struct {
+	LlmProviderID    pgtype.UUID `json:"llm_provider_id"`
+	State            string      `json:"state"`
+	PkceCodeVerifier string      `json:"pkce_code_verifier"`
+}
+
+func (q *Queries) UpdateLlmProviderOAuthState(ctx context.Context, arg UpdateLlmProviderOAuthStateParams) error {
+	_, err := q.db.Exec(ctx, updateLlmProviderOAuthState, arg.LlmProviderID, arg.State, arg.PkceCodeVerifier)
+	return err
+}
+
+const upsertLlmProviderOAuthToken = `-- name: UpsertLlmProviderOAuthToken :one
+INSERT INTO llm_provider_oauth_tokens (
+  llm_provider_id,
+  access_token,
+  refresh_token,
+  expires_at,
+  scope,
+  token_type,
+  state,
+  pkce_code_verifier
+)
+VALUES (
+  $1,
+  $2,
+  $3,
+  $4,
+  $5,
+  $6,
+  $7,
+  $8
+)
+ON CONFLICT (llm_provider_id) DO UPDATE SET
+  access_token = EXCLUDED.access_token,
+  refresh_token = EXCLUDED.refresh_token,
+  expires_at = EXCLUDED.expires_at,
+  scope = EXCLUDED.scope,
+  token_type = EXCLUDED.token_type,
+  state = EXCLUDED.state,
+  pkce_code_verifier = EXCLUDED.pkce_code_verifier,
+  updated_at = now()
+RETURNING id, llm_provider_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, created_at, updated_at
+`
+
+type UpsertLlmProviderOAuthTokenParams struct {
+	LlmProviderID    pgtype.UUID        `json:"llm_provider_id"`
+	AccessToken      string             `json:"access_token"`
+	RefreshToken     string             `json:"refresh_token"`
+	ExpiresAt        pgtype.Timestamptz `json:"expires_at"`
+	Scope            string             `json:"scope"`
+	TokenType        string             `json:"token_type"`
+	State            string             `json:"state"`
+	PkceCodeVerifier string             `json:"pkce_code_verifier"`
+}
+
+func (q *Queries) UpsertLlmProviderOAuthToken(ctx context.Context, arg UpsertLlmProviderOAuthTokenParams) (LlmProviderOauthToken, error) {
+	row := q.db.QueryRow(ctx, upsertLlmProviderOAuthToken,
+		arg.LlmProviderID,
+		arg.AccessToken,
+		arg.RefreshToken,
+		arg.ExpiresAt,
+		arg.Scope,
+		arg.TokenType,
+		arg.State,
+		arg.PkceCodeVerifier,
+	)
+	var i LlmProviderOauthToken
+	err := row.Scan(
+		&i.ID,
+		&i.LlmProviderID,
+		&i.AccessToken,
+		&i.RefreshToken,
+		&i.ExpiresAt,
+		&i.Scope,
+		&i.TokenType,
+		&i.State,
+		&i.PkceCodeVerifier,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}