feat: Google OAuth sign-in + per-user Gemini API key

Users with Google accounts can now sign in without a password.

Auth flow:
- GET /auth/google → Google consent page (CSRF state cookie)
- GET /auth/google/callback → exchange code, lookup user, set JWT
- auth.json gains google_sub + google_email fields
- set_password() no longer overwrites unrelated auth.json fields

Admin setup:
  python manage_passwords.py google-add <username> <email>
  # add GOOGLE_CLIENT_ID + GOOGLE_CLIENT_SECRET to .env

Per-user Gemini key:
- get_user_gemini_key() reads gemini_api_key from auth.json
- orchestrator_engine.run() accepts gemini_api_key param
- orchestrator router passes user's key, falls back to server key

login.html: "Sign in with Google" button above the password form.
manage_passwords.py list: now shows auth method columns (pw / google).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cortex/auth_middleware.py

@@ -19,8 +19,8 @@ from auth_utils import COOKIE_NAME, decode_token
 # Paths that don't require a session cookie
 _PUBLIC = {"/login", "/logout", "/health"}
 
-# Path prefixes that are always public (setup flow + webhooks)
-_PUBLIC_PREFIXES = ("/setup/", "/channels/", "/webhook/")
+# Path prefixes that are always public (setup flow + webhooks + Google OAuth)
+_PUBLIC_PREFIXES = ("/setup/", "/channels/", "/webhook/", "/auth/google")
 
 
 class SessionAuthMiddleware(BaseHTTPMiddleware):