[codex] Persist OAuth state and improve network setup

[Lihatoo]

What changed

• add persistent bind-host configuration and document direct network binding
• add Localhost vs Custom URL selection to devspace init
• preserve CLI executable permissions after builds
• persist dynamically registered OAuth clients plus hashed access/refresh tokens in SQLite
• add a restart-persistence test for OAuth state
• document /mcp URL requirements and invalid_client recovery

Why

ChatGPT reuses the client_id returned by dynamic client registration. DevSpace previously stored registered clients and tokens only in memory, so any server restart caused the reused client ID to fail with invalid_client. Users then had to delete and recreate the ChatGPT app.

The network setup also required manual workarounds when binding outside 127.0.0.1, and setup always required a custom public URL.

Impact

After one final app reconnection when upgrading from the old in-memory implementation, OAuth client IDs and refresh state survive DevSpace restarts. Operators can bind directly to a selected interface and choose localhost during setup when no public URL is needed.

Only token hashes are stored in SQLite; raw access and refresh tokens are not persisted.

Validation

• npm run typecheck
• npm test
• npm run build
• registered a DCR client, restarted DevSpace, and verified the same client_id still opened /authorize with HTTP 200
• verified local and public /healthz endpoints return HTTP 200