feat: fix GitHub auth flow

[MekDrop]

Summary

Fixes #52 — GitHub OAuth was completely broken due to several bugs across the frontend and worker.

Root causes fixed

AuthCallback.vue used <q-page> inside WizardLayout (Win98Window)
QPage requires a QLayout parent to inject layout context. Since WizardLayout uses a custom Win98Window component (not QLayout), the component threw during mount, preventing onMounted from firing and breaking the entire auth callback flow. Replaced with a plain div.

No CSRF state parameter
The GitHub OAuth redirect had no state parameter, leaving the flow open to CSRF attacks. loginGithub() now generates a crypto.randomUUID() state, stores it in sessionStorage, and includes it in the authorize URL. AuthCallback.vue verifies the returned state matches before accepting the token.

Error code mismatch
Worker was sending error=missing_code but the frontend error map only handled no_code. Now aligned — worker sends no_code and the map includes it along with the new invalid_state code.

GitLab callback had no error handling
exchangeGitlabCode errors were uncaught. Added try/catch with redirect to /login?error=no_token.

Test plan

• Click "Sign in with GitHub" → redirected to GitHub authorize page
• Authorize on GitHub → redirected back to /repos
• Tamper with state in the callback URL → redirected to /login with "state mismatch" error
• Worker returns no token → redirected to /login with "no token" error
• Missing code in worker callback → worker redirects to /login?error=no_code