Move OIDC config from env vars to database with admin API

OIDC provider settings (issuer, client ID/secret, roles claim) are
now stored in ClickHouse and managed via admin REST API at
/api/v1/admin/oidc. This allows runtime configuration from the UI
without server restarts.

- New oidc_config table (ReplacingMergeTree, singleton row)
- OidcConfig record + OidcConfigRepository interface in core
- ClickHouseOidcConfigRepository implementation
- OidcConfigAdminController: GET/PUT/DELETE config, POST test
  connectivity, client_secret masked in responses
- OidcTokenExchanger: reads config from DB, invalidateCache()
  on config change
- OidcAuthController: always registered (no @ConditionalOnProperty),
  returns 404 when OIDC not configured
- Startup seeder: env vars seed DB on first boot only, then admin
  API takes over
- HOWTO.md updated with admin OIDC config API examples

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

HOWTO.md

@@ -109,10 +109,10 @@ The env-var local user gets `ADMIN` role. Agents get `AGENT` role at registratio
 
 ### OIDC Login (Optional)
 
-When `CAMELEER_OIDC_ENABLED=true`, the server supports external identity providers (e.g. Authentik, Keycloak):
+OIDC configuration is stored in ClickHouse and managed via the admin API or UI. The SPA checks if OIDC is available:
 
 ```bash
-# 1. SPA checks if OIDC is available
+# 1. SPA checks if OIDC is available (returns 404 if not configured)
 curl -s http://localhost:8081/api/v1/auth/oidc/config
 # Returns: { "issuer": "...", "clientId": "...", "authorizationEndpoint": "..." }
 
@@ -125,6 +125,38 @@ curl -s -X POST http://localhost:8081/api/v1/auth/oidc/callback \
 
 Local login remains available as fallback even when OIDC is enabled.
 
+### OIDC Admin Configuration (ADMIN only)
+
+OIDC settings are managed at runtime via the admin API. No server restart needed.
+
+```bash
+# Get current OIDC config
+curl -s -H "Authorization: Bearer $TOKEN" http://localhost:8081/api/v1/admin/oidc
+
+# Save OIDC config (client_secret: send "********" to keep existing, or new value to update)
+curl -s -X PUT http://localhost:8081/api/v1/admin/oidc \
+  -H "Content-Type: application/json" \
+  -H "Authorization: Bearer $TOKEN" \
+  -d '{
+    "enabled": true,
+    "issuerUri": "http://authentik:9000/application/o/cameleer/",
+    "clientId": "your-client-id",
+    "clientSecret": "your-client-secret",
+    "rolesClaim": "realm_access.roles",
+    "defaultRoles": ["VIEWER"]
+  }'
+
+# Test OIDC provider connectivity
+curl -s -X POST http://localhost:8081/api/v1/admin/oidc/test \
+  -H "Authorization: Bearer $TOKEN"
+
+# Delete OIDC config (disables OIDC)
+curl -s -X DELETE http://localhost:8081/api/v1/admin/oidc \
+  -H "Authorization: Bearer $TOKEN"
+```
+
+**Initial provisioning**: OIDC can also be seeded from `CAMELEER_OIDC_*` env vars on first startup (when DB is empty). After that, the admin API takes over.
+
 ### Authentik Setup (OIDC Provider)
 
 Authentik is deployed alongside the Cameleer stack. After first deployment:
@@ -140,7 +172,7 @@ Authentik is deployed alongside the Cameleer stack. After first deployment:
    - Name: `Cameleer`
    - Provider: select `Cameleer` (created above)
 4. **Configure roles** (optional): Create groups in Authentik and map them to Cameleer roles via the `roles-claim` config. Default claim path is `realm_access.roles`. For Authentik, you may need to customize the OIDC scope to include group claims.
-5. **Set env vars** on the Cameleer server:
+5. **Configure Cameleer**: Use the admin API (`PUT /api/v1/admin/oidc`) or set env vars for initial seeding:
    ```
    CAMELEER_OIDC_ENABLED=true
    CAMELEER_OIDC_ISSUER=http://authentik:9000/application/o/cameleer/
@@ -148,8 +180,6 @@ Authentik is deployed alongside the Cameleer stack. After first deployment:
    CAMELEER_OIDC_CLIENT_SECRET=<client-secret-from-step-2>
    ```
 
-For K8s deployment, these are managed via the `cameleer-oidc` secret (see CI/CD section).
-
 ### User Management (ADMIN only)
 
 ```bash