feat(cli): pin OIDC callback port via OPENSHELL_OIDC_REDIRECT_PORT

[harry-anderson]

Summary

The OIDC browser login binds an ephemeral loopback port (127.0.0.1:0) for the authorization-code callback. IdPs that require an exact redirect-URI match and do not support a port wildcard reject the random port, so every openshell gateway login fails until that exact http://127.0.0.1:<random>/callback is registered with the IdP by hand.

This was hit in practice against an Okta org authorization server (exact redirect matching, no :* wildcard): each login picked a new port and had to be re-registered in the Okta app before the browser redirect would be accepted.

This adds OPENSHELL_OIDC_REDIRECT_PORT to pin the loopback callback port, so a single stable http://127.0.0.1:<port>/callback can be registered once with the IdP.

Related Issue

None filed. Happy to open one first if preferred per CONTRIBUTING.

Changes

• crates/openshell-cli/src/oidc_auth.rs: in oidc_browser_auth_flow, resolve the callback bind address from OPENSHELL_OIDC_REDIRECT_PORT via a small oidc_redirect_bind_addr helper. When the var holds a valid u16 port, bind 127.0.0.1:<port>; when unset/empty/invalid, fall back to 127.0.0.1:0 (the existing ephemeral behavior is unchanged).
• Unit tests for the helper (default, valid port, whitespace tolerance, invalid/empty/out-of-range fallback).

Behavior is fully backward compatible: with the env var unset, the bind address is exactly 127.0.0.1:0 as before.

Testing

• cargo test -p openshell-cli oidc_redirect_bind_addr (helper unit tests).
• Verified end to end against an Okta org auth server: with OPENSHELL_OIDC_REDIRECT_PORT set to a pre-registered port, openshell gateway login completes without per-login redirect-URI changes.

Checklist

• Conventional commit message
• DCO sign-off
• mise run pre-commit (run on the contributor's build host)
• Unit tests added
• No AI attribution in commits

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

Thank you for your submission! We ask that you sign our Developer Certificate of Origin before we can accept your contribution. You can sign the DCO by adding a comment below using this text:

---

I have read the DCO document and I hereby sign the DCO.

---

_{You can retrigger this bot by commenting recheck in this Pull Request. Posted by the DCO Assistant Lite bot.}

[github-actions]

Thank you for your interest in contributing to OpenShell, @harry-anderson.

This project uses a vouch system for first-time contributors. Before submitting a pull request, you need to be vouched by a maintainer.

To get vouched:

1. Open a Vouch Request discussion.
2. Describe what you want to change and why.
3. Write in your own words — do not have an AI generate the request.
4. A maintainer will comment /vouch if approved.
5. Once vouched, open a new PR (preferred) or reopen this one after a few minutes.

See CONTRIBUTING.md for details.