fix: vision(#623): Forgejo OAuth gate for disinto-chat (#708)

Gate /chat/* behind Forgejo OAuth2 authorization-code flow.

- Extract generic _create_forgejo_oauth_app() helper in lib/ci-setup.sh;
  Woodpecker OAuth becomes a thin wrapper, chat gets its own app.
- bin/disinto init now creates TWO OAuth apps (woodpecker-ci + disinto-chat)
  and writes CHAT_OAUTH_CLIENT_ID / CHAT_OAUTH_CLIENT_SECRET to .env.
- docker/chat/server.py: new routes /chat/login (→ Forgejo authorize),
  /chat/oauth/callback (code→token exchange, user allowlist check, session
  cookie). All other /chat/* routes require a valid session or redirect to
  /chat/login. Session store is in-memory with 24h TTL.
- lib/generators.sh: pass FORGE_URL, CHAT_OAUTH_CLIENT_ID,
  CHAT_OAUTH_CLIENT_SECRET, EDGE_TUNNEL_FQDN, DISINTO_CHAT_ALLOWED_USERS
  to the chat container environment.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

bin/disinto

@@ -542,6 +542,12 @@ create_woodpecker_oauth() {
   _create_woodpecker_oauth_impl "$@"
 }
 
+# Create Chat OAuth2 app on Forgejo (implementation in lib/ci-setup.sh)
+create_chat_oauth() {
+  _load_ci_context
+  _create_chat_oauth_impl "$@"
+}
+
 # Generate WOODPECKER_TOKEN via Forgejo OAuth2 flow (implementation in lib/ci-setup.sh)
 generate_woodpecker_token() {
   _load_ci_context
@@ -860,6 +866,15 @@ p.write_text(text)
   _WP_REPO_ID=""
   create_woodpecker_oauth "$forge_url" "$forge_repo"
 
+  # Create OAuth2 app on Forgejo for disinto-chat (#708)
+  local chat_redirect_uri
+  if [ -n "${EDGE_TUNNEL_FQDN:-}" ]; then
+    chat_redirect_uri="https://${EDGE_TUNNEL_FQDN}/chat/oauth/callback"
+  else
+    chat_redirect_uri="http://localhost/chat/oauth/callback"
+  fi
+  create_chat_oauth "$chat_redirect_uri"
+
   # Generate WOODPECKER_AGENT_SECRET for server↔agent auth
   local env_file="${FACTORY_ROOT}/.env"
   if ! grep -q '^WOODPECKER_AGENT_SECRET=' "$env_file" 2>/dev/null; then