Device cookie + internal endpoint for auth state detection

Each client app sets a persistent first-party device cookie ({app}_did).
On each request:
- Logged in: verify grant via account internal endpoint (cached 60s)
- Not logged in + device cookie: check-device endpoint detects if user
  logged in since last grant revocation → triggers OAuth automatically
No cross-domain cookies. No propagation chain. Each app checks independently.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

alembic/versions/q7o5l1m3n4_add_oauth_grants_table.py

@@ -20,12 +20,14 @@ def upgrade():
         sa.Column("user_id", sa.Integer, sa.ForeignKey("users.id", ondelete="CASCADE"), nullable=False),
         sa.Column("client_id", sa.String(64), nullable=False),
         sa.Column("issuer_session", sa.String(128), nullable=False),
+        sa.Column("device_id", sa.String(128), nullable=True),
         sa.Column("created_at", sa.DateTime(timezone=True), nullable=False, server_default=sa.func.now()),
         sa.Column("revoked_at", sa.DateTime(timezone=True), nullable=True),
     )
     op.create_index("ix_oauth_grant_token", "oauth_grants", ["token"], unique=True)
     op.create_index("ix_oauth_grant_issuer", "oauth_grants", ["issuer_session"])
     op.create_index("ix_oauth_grant_user", "oauth_grants", ["user_id"])
+    op.create_index("ix_oauth_grant_device", "oauth_grants", ["device_id", "client_id"])
 
     # Add grant_token column to oauth_codes to link code → grant
     op.add_column("oauth_codes", sa.Column("grant_token", sa.String(128), nullable=True))