feat: add OAuth 2.1 endpoints (register, authorize, token)

Add well-known metadata, dynamic client registration, authorization
flow with PKCE, and token exchange/refresh endpoints with route-level
integration tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/server/index.ts

@@ -11,6 +11,7 @@ import { itemRoutes } from "./routes/items.ts";
 import { settingsRoutes } from "./routes/settings.ts";
 import { setupRoutes } from "./routes/setups.ts";
 import { threadRoutes } from "./routes/threads.ts";
+import { oauthRoutes, wellKnownRoute } from "./routes/oauth.ts";
 import { totalRoutes } from "./routes/totals.ts";
 
 // Seed default data on startup
@@ -33,6 +34,14 @@ app.get("/api/health", (c) => {
 	return c.json({ status: "ok" });
 });
 
+// OAuth routes (must be before /api/* middleware)
+app.use("/oauth/*", async (c, next) => {
+	c.set("db", prodDb);
+	return next();
+});
+app.route("/.well-known", wellKnownRoute);
+app.route("/oauth", oauthRoutes);
+
 // Inject production database into request context
 app.use("/api/*", async (c, next) => {
 	c.set("db", prodDb);