OAuth SSO infrastructure + account app support

- OAuthCode model + migration for authorization code flow
- OAuth client blueprint (auto-registered for non-federation apps)
- Per-app first-party session cookies (fixes Safari ITP)
- /oauth/authorize endpoint support in URL helpers
- account_url() helper + Jinja global
- Templates: federation_url('/auth/...') → account_url('/...')
- Widget registry: account page links use account_url

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

models/__init__.py

@@ -1,6 +1,7 @@
 from .user import User
 from .kv import KV
 from .magic_link import MagicLink
+from .oauth_code import OAuthCode
 from .menu_item import MenuItem
 
 from .ghost_membership_entities import (

models/oauth_code.py

@@ -0,0 +1,25 @@
+from __future__ import annotations
+from datetime import datetime
+from sqlalchemy import String, Integer, DateTime, ForeignKey, func, Index
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+from shared.db.base import Base
+
+
+class OAuthCode(Base):
+    __tablename__ = "oauth_codes"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
+    code: Mapped[str] = mapped_column(String(128), unique=True, index=True, nullable=False)
+    user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
+    client_id: Mapped[str] = mapped_column(String(64), nullable=False)
+    redirect_uri: Mapped[str] = mapped_column(String(512), nullable=False)
+    expires_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False)
+    used_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
+    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False, server_default=func.now())
+
+    user = relationship("User", backref="oauth_codes")
+
+    __table_args__ = (
+        Index("ix_oauth_code_code", "code", unique=True),
+        Index("ix_oauth_code_user", "user_id"),
+    )