OAuth login buttons render even when provider credentials are not configured

[bpowers]

Description

The Google and Apple OAuth login buttons in Login.tsx are always rendered regardless of whether the server has configured credentials for those providers. When credentials are missing (e.g., local development with default config), clicking these buttons navigates to /auth/google or /auth/apple, which returns a 404 or error since the corresponding Passport strategies are not registered.

This creates a confusing user experience: buttons appear clickable but lead nowhere.

Why it matters

• Developer experience: Local development without OAuth credentials configured (a common setup) presents broken login buttons that silently fail or 404.
• User experience: In any deployment where only a subset of providers is enabled, users see buttons that do not work.
• Correctness: The UI should reflect the actual capabilities of the backend.

Component(s) affected

• src/app -- Login.tsx renders OAuth buttons unconditionally
• src/server -- no mechanism to communicate which providers are enabled to the client

Possible approaches

1. /auth/available-providers endpoint: Add a server endpoint that returns the list of enabled OAuth providers. The client queries this on the login page and conditionally renders buttons.
2. Server-rendered config: Pass available providers through the server-rendered HTML page (e.g., as a data attribute or inline script variable), avoiding an extra round-trip.
3. Feature flags in config: Use an environment variable or config object that both the server (to register strategies) and client (to render buttons) can reference.

Approach 2 is likely the most efficient since the login page is already server-rendered, avoiding an extra network request.

Context

Identified during review of the server-side auth migration (branch server-side-auth). Related to #78 and #109 (local login difficulties) but addresses a distinct, more specific problem.