[codex] use popup-only GitHub OAuth

[Che-Zhu]

Summary

• switch GitHub sign-in and connect flows to popup-only OAuth
• require popup=true before starting GitHub OAuth and validate a popup cookie on callback
• return static popup postMessage responses from the callback instead of redirecting the app shell
• remove dynamic logs and raw user-facing OAuth errors from touched GitHub auth paths

Why

The main app shell should stay in place during GitHub authentication. Direct main-window visits to GitHub auth start routes should not remain as a successful OAuth path.

Validation

• pnpm format
• pnpm type-check
• pnpm lint passes with existing warnings only

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 655e65eaf1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Post auth result to opener origin, not configured base URL

The popup callback currently sends postMessage to new URL(getAppBaseUrl(req)).origin, but the popup client only accepts messages from the opener tab’s window.location.origin. When APP_BASE_URL (or forwarded host) differs from the origin where the user initiated auth (for example preview/alternate hostnames), the callback message is dropped and the parent tab reports popup_closed/timeout even though OAuth succeeded. This is a functional auth regression in multi-origin deployments introduced by the popup flow.

Useful? React with 👍 / 👎.