feat: Google OAuth sign-in + per-user Gemini API key

Users with Google accounts can now sign in without a password.

Auth flow:
- GET /auth/google → Google consent page (CSRF state cookie)
- GET /auth/google/callback → exchange code, lookup user, set JWT
- auth.json gains google_sub + google_email fields
- set_password() no longer overwrites unrelated auth.json fields

Admin setup:
  python manage_passwords.py google-add <username> <email>
  # add GOOGLE_CLIENT_ID + GOOGLE_CLIENT_SECRET to .env

Per-user Gemini key:
- get_user_gemini_key() reads gemini_api_key from auth.json
- orchestrator_engine.run() accepts gemini_api_key param
- orchestrator router passes user's key, falls back to server key

login.html: "Sign in with Google" button above the password form.
manage_passwords.py list: now shows auth method columns (pw / google).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

cortex/main.py

@@ -9,7 +9,7 @@ logging.basicConfig(level=logging.INFO, format="%(levelname)s:%(name)s: %(messag
 from config import settings
 from auth_middleware import SessionAuthMiddleware
 from routers import chat, google_chat, nextcloud_talk, files, distill, auth, orchestrator
-from routers import ui, onboarding, settings, help
+from routers import ui, onboarding, settings, help, auth_google
 
 
 @asynccontextmanager
@@ -39,6 +39,9 @@ app.include_router(orchestrator.router)
 # ui.router has a wildcard /{username}/{persona} that would otherwise catch /static/style.css etc.
 app.mount("/static", StaticFiles(directory="static"), name="static")
 
+# Google OAuth — must be before ui.router (wildcard /{user}/{persona} would swallow it)
+app.include_router(auth_google.router)
+
 # Onboarding (invite tokens + persona creation — before ui.router)
 app.include_router(onboarding.router)