refactor: unify providers and models tables

- Rename `llm_providers` → `providers`, `llm_provider_oauth_tokens` → `provider_oauth_tokens`
- Remove `tts_providers` and `tts_models` tables; speech models now live in the unified `models` table with `type = 'speech'`
- Replace top-level `api_key`/`base_url` columns with a JSONB `config` field on `providers`
- Rename `llm_provider_id` → `provider_id` across all references
- Add `edge-speech` client type and `conf/providers/edge.yaml` default provider
- Create new read-only speech endpoints (`/speech-providers`, `/speech-models`) backed by filtered views of the unified tables
- Remove old TTS CRUD handlers; simplify speech page to read-only + test
- Update registry loader to skip malformed YAML files instead of failing entirely
- Fix YAML quoting for model names containing colons in openrouter.yaml
- Regenerate sqlc, swagger, and TypeScript SDK

internal/db/sqlc/provider_oauth.sql.go

@@ -0,0 +1,163 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.30.0
+// source: provider_oauth.sql
+
+package sqlc
+
+import (
+	"context"
+
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const deleteProviderOAuthToken = `-- name: DeleteProviderOAuthToken :exec
+DELETE FROM provider_oauth_tokens WHERE provider_id = $1
+`
+
+func (q *Queries) DeleteProviderOAuthToken(ctx context.Context, providerID pgtype.UUID) error {
+	_, err := q.db.Exec(ctx, deleteProviderOAuthToken, providerID)
+	return err
+}
+
+const getProviderOAuthTokenByProvider = `-- name: GetProviderOAuthTokenByProvider :one
+SELECT id, provider_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, created_at, updated_at FROM provider_oauth_tokens WHERE provider_id = $1
+`
+
+func (q *Queries) GetProviderOAuthTokenByProvider(ctx context.Context, providerID pgtype.UUID) (ProviderOauthToken, error) {
+	row := q.db.QueryRow(ctx, getProviderOAuthTokenByProvider, providerID)
+	var i ProviderOauthToken
+	err := row.Scan(
+		&i.ID,
+		&i.ProviderID,
+		&i.AccessToken,
+		&i.RefreshToken,
+		&i.ExpiresAt,
+		&i.Scope,
+		&i.TokenType,
+		&i.State,
+		&i.PkceCodeVerifier,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getProviderOAuthTokenByState = `-- name: GetProviderOAuthTokenByState :one
+SELECT id, provider_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, created_at, updated_at FROM provider_oauth_tokens WHERE state = $1 AND state != ''
+`
+
+func (q *Queries) GetProviderOAuthTokenByState(ctx context.Context, state string) (ProviderOauthToken, error) {
+	row := q.db.QueryRow(ctx, getProviderOAuthTokenByState, state)
+	var i ProviderOauthToken
+	err := row.Scan(
+		&i.ID,
+		&i.ProviderID,
+		&i.AccessToken,
+		&i.RefreshToken,
+		&i.ExpiresAt,
+		&i.Scope,
+		&i.TokenType,
+		&i.State,
+		&i.PkceCodeVerifier,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const updateProviderOAuthState = `-- name: UpdateProviderOAuthState :exec
+INSERT INTO provider_oauth_tokens (provider_id, state, pkce_code_verifier)
+VALUES (
+  $1,
+  $2,
+  $3
+)
+ON CONFLICT (provider_id) DO UPDATE SET
+  state = EXCLUDED.state,
+  pkce_code_verifier = EXCLUDED.pkce_code_verifier,
+  updated_at = now()
+`
+
+type UpdateProviderOAuthStateParams struct {
+	ProviderID       pgtype.UUID `json:"provider_id"`
+	State            string      `json:"state"`
+	PkceCodeVerifier string      `json:"pkce_code_verifier"`
+}
+
+func (q *Queries) UpdateProviderOAuthState(ctx context.Context, arg UpdateProviderOAuthStateParams) error {
+	_, err := q.db.Exec(ctx, updateProviderOAuthState, arg.ProviderID, arg.State, arg.PkceCodeVerifier)
+	return err
+}
+
+const upsertProviderOAuthToken = `-- name: UpsertProviderOAuthToken :one
+INSERT INTO provider_oauth_tokens (
+  provider_id,
+  access_token,
+  refresh_token,
+  expires_at,
+  scope,
+  token_type,
+  state,
+  pkce_code_verifier
+)
+VALUES (
+  $1,
+  $2,
+  $3,
+  $4,
+  $5,
+  $6,
+  $7,
+  $8
+)
+ON CONFLICT (provider_id) DO UPDATE SET
+  access_token = EXCLUDED.access_token,
+  refresh_token = EXCLUDED.refresh_token,
+  expires_at = EXCLUDED.expires_at,
+  scope = EXCLUDED.scope,
+  token_type = EXCLUDED.token_type,
+  state = EXCLUDED.state,
+  pkce_code_verifier = EXCLUDED.pkce_code_verifier,
+  updated_at = now()
+RETURNING id, provider_id, access_token, refresh_token, expires_at, scope, token_type, state, pkce_code_verifier, created_at, updated_at
+`
+
+type UpsertProviderOAuthTokenParams struct {
+	ProviderID       pgtype.UUID        `json:"provider_id"`
+	AccessToken      string             `json:"access_token"`
+	RefreshToken     string             `json:"refresh_token"`
+	ExpiresAt        pgtype.Timestamptz `json:"expires_at"`
+	Scope            string             `json:"scope"`
+	TokenType        string             `json:"token_type"`
+	State            string             `json:"state"`
+	PkceCodeVerifier string             `json:"pkce_code_verifier"`
+}
+
+func (q *Queries) UpsertProviderOAuthToken(ctx context.Context, arg UpsertProviderOAuthTokenParams) (ProviderOauthToken, error) {
+	row := q.db.QueryRow(ctx, upsertProviderOAuthToken,
+		arg.ProviderID,
+		arg.AccessToken,
+		arg.RefreshToken,
+		arg.ExpiresAt,
+		arg.Scope,
+		arg.TokenType,
+		arg.State,
+		arg.PkceCodeVerifier,
+	)
+	var i ProviderOauthToken
+	err := row.Scan(
+		&i.ID,
+		&i.ProviderID,
+		&i.AccessToken,
+		&i.RefreshToken,
+		&i.ExpiresAt,
+		&i.Scope,
+		&i.TokenType,
+		&i.State,
+		&i.PkceCodeVerifier,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}