Device cookie + internal endpoint for auth state detection

Each client app sets a persistent first-party device cookie ({app}_did).
On each request:
- Logged in: verify grant via account internal endpoint (cached 60s)
- Not logged in + device cookie: check-device endpoint detects if user
  logged in since last grant revocation → triggers OAuth automatically
No cross-domain cookies. No propagation chain. Each app checks independently.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

models/oauth_grant.py

@@ -19,6 +19,7 @@ class OAuthGrant(Base):
     user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
     client_id: Mapped[str] = mapped_column(String(64), nullable=False)
     issuer_session: Mapped[str] = mapped_column(String(128), nullable=False, index=True)
+    device_id: Mapped[str | None] = mapped_column(String(128), nullable=True, index=True)
     created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False, server_default=func.now())
     revoked_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
 
@@ -27,4 +28,5 @@ class OAuthGrant(Base):
     __table_args__ = (
         Index("ix_oauth_grant_token", "token", unique=True),
         Index("ix_oauth_grant_issuer", "issuer_session"),
+        Index("ix_oauth_grant_device", "device_id", "client_id"),
     )