OAuth SSO infrastructure + account app support

- OAuthCode model + migration for authorization code flow
- OAuth client blueprint (auto-registered for non-federation apps)
- Per-app first-party session cookies (fixes Safari ITP)
- /oauth/authorize endpoint support in URL helpers
- account_url() helper + Jinja global
- Templates: federation_url('/auth/...') → account_url('/...')
- Widget registry: account page links use account_url

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

alembic/versions/p6n4k0l2m3_add_oauth_codes_table.py

@@ -0,0 +1,37 @@
+"""Add oauth_codes table
+
+Revision ID: p6n4k0l2m3
+Revises: o5m3j9k1l2
+Create Date: 2026-02-23
+"""
+from alembic import op
+import sqlalchemy as sa
+
+revision = "p6n4k0l2m3"
+down_revision = "o5m3j9k1l2"
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "oauth_codes",
+        sa.Column("id", sa.Integer(), autoincrement=True, nullable=False),
+        sa.Column("code", sa.String(128), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=False),
+        sa.Column("client_id", sa.String(64), nullable=False),
+        sa.Column("redirect_uri", sa.String(512), nullable=False),
+        sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False),
+        sa.Column("used_at", sa.DateTime(timezone=True), nullable=True),
+        sa.Column("created_at", sa.DateTime(timezone=True), server_default=sa.func.now(), nullable=False),
+        sa.PrimaryKeyConstraint("id"),
+        sa.ForeignKeyConstraint(["user_id"], ["users.id"], ondelete="CASCADE"),
+    )
+    op.create_index("ix_oauth_code_code", "oauth_codes", ["code"], unique=True)
+    op.create_index("ix_oauth_code_user", "oauth_codes", ["user_id"])
+
+
+def downgrade() -> None:
+    op.drop_index("ix_oauth_code_user", table_name="oauth_codes")
+    op.drop_index("ix_oauth_code_code", table_name="oauth_codes")
+    op.drop_table("oauth_codes")