feat: Google OAuth sign-in + per-user Gemini API key

Users with Google accounts can now sign in without a password.

Auth flow:
- GET /auth/google → Google consent page (CSRF state cookie)
- GET /auth/google/callback → exchange code, lookup user, set JWT
- auth.json gains google_sub + google_email fields
- set_password() no longer overwrites unrelated auth.json fields

Admin setup:
  python manage_passwords.py google-add <username> <email>
  # add GOOGLE_CLIENT_ID + GOOGLE_CLIENT_SECRET to .env

Per-user Gemini key:
- get_user_gemini_key() reads gemini_api_key from auth.json
- orchestrator_engine.run() accepts gemini_api_key param
- orchestrator router passes user's key, falls back to server key

login.html: "Sign in with Google" button above the password form.
manage_passwords.py list: now shows auth method columns (pw / google).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.env.default

@@ -13,6 +13,15 @@ USER_NAME=Scott
 # Default: ../home  (i.e. Cortex_and_Inara_dev/home/)
 # HOME_DIR=../home
 
+# ── Google OAuth — "Sign in with Google" ────────────────────────────────────
+# Create credentials at console.cloud.google.com → APIs & Services → Credentials
+# Application type: Web Application
+# Authorised redirect URI: https://cortex.dgrzone.com/auth/google/callback
+# Pre-register users: cd cortex && .venv/bin/python manage_passwords.py google-add <user> <email>
+# Per-user Gemini key: add "gemini_api_key": "AIza..." to home/{username}/auth.json
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
 # ── Session auth ─────────────────────────────────────────────────────────────
 # Generate with: python3 -c "import secrets; print(secrets.token_hex(32))"
 JWT_SECRET=change-me-in-dotenv