fix(management): support external base url for webui oauth callbacks

[cikichen]

Summary

• add remote-management.external-base-url so webui oauth callbacks can use a configured public base URL
• route Codex, Claude, Gemini CLI, and Antigravity webui oauth flows through provider-specific external callback paths when configured
• add config and management handler tests to cover external callback resolution and preserve localhost fallback behavior

[github-actions]

This pull request targeted main.

The base branch has been automatically changed to dev.

[gemini-code-assist]

Code Review

This pull request adds an "external-base-url" configuration to allow remote management clients to use public callback URLs instead of local forwarders for OAuth authentication across multiple providers. While the logic is implemented for several services, the PR is currently incomplete as it references a missing "ExchangeCodeForTokensWithRedirect" method for the Codex provider, which will prevent the code from compiling. Additionally, the feedback highlights an architectural inconsistency in how the Codex redirect URI is managed compared to other providers, recommending a more standardized approach within the authentication packages to eliminate manual URL manipulation.

[gemini-code-assist]

The method openaiAuth.ExchangeCodeForTokensWithRedirect is called here, but its definition is missing from the pull request. It appears that the necessary changes to internal/auth/codex/codex_auth.go (similar to those made for claude in internal/auth/claude/anthropic_auth.go) were not included in the patch set. This will result in a compilation error.

[gemini-code-assist]

There is an inconsistency in how the redirect_uri is updated for the codex provider compared to claude. While claude uses a new GenerateAuthURLWithRedirect method (added in this PR), codex relies on a manual query string replacement via replaceURLQueryValue. For better maintainability and consistency, the codex package should be updated with a similar WithRedirect method for URL generation, avoiding the need for manual URL manipulation in the handler.

[gemini-code-assist]

The replaceURLQueryValue function is only used as a workaround for the codex provider's API inconsistency. If the codex package is updated to support a redirect URI during URL generation (as suggested in the other comment), this utility function becomes unnecessary and should be removed to keep the codebase clean.

[luispater]

Summary

• Adds remote-management.external-base-url to support externally reachable OAuth callback URLs for WebUI flows.
• Routes Codex/Claude/Gemini CLI/Antigravity WebUI OAuth through provider-specific external callback paths when configured, and skips localhost callback forwarders in that case.
• Adds tests to cover external callback URL resolution and preserve localhost fallback behavior.

Key findings

• Blocking: None.
• Non-blocking:
  • Consider validating external-base-url scheme to http/https only to prevent accidental misconfiguration.
  • Tests currently rely on time.Sleep(600ms); polling with a timeout could reduce flakiness on slow runners.

Test plan

• go test ./internal/api/handlers/management ./internal/config ./internal/auth/claude

This is an automated Codex review result and still requires manual verification by a human reviewer.