Use gnexus-auth client library avatar_url property ...

- deps.py: use auth_user.avatar_url from gnexus-gauth DTO instead
  of guessing profile fields or Gravatar
- CLAUDE.md: add working rules section

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Revert "Fix avatar: use Gravatar instead of non-existent profile fields" ...

This reverts commit f485e54.

Fix avatar: use Gravatar instead of non-existent profile fields ...

Investigated gnexus-auth UserinfoController and found that the profile
response only contains: username, display_name, first_name, last_name,
phone, birth_date, country, city, locale, timezone. There is no picture
or avatar_url field.

- Add make_gravatar_url() helper in navi/auth/__init__.py
- Update deps.py to generate Gravatar URL from user email
- Update config.py default gnauth_profile_path to /account/profile
- Update .env.example comment accordingly
- Frontend already handles avatar_url correctly

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add avatar display and gnexus-auth profile link ...

Backend:
- User model: add avatar_url field
- auth/deps.py: extract avatar_url from auth_user.profile (picture/avatar_url)
- auth.py /auth/me: return avatar_url + computed profile_url
- config.py: add gnauth_profile_path setting
- .env.example: document GNAUTH_PROFILE_PATH

Frontend:
- AppSidebar.vue: show user avatar (or initial fallback) next to name
- Clicking user info opens gnexus-auth profile in new tab
- Rebuild dist/

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix pydantic-settings env var name mapping for auth ...

Pydantic-settings converts snake_case field names to UPPER_CASE env vars
by removing underscores.  gnexus_auth_client_id became GNEXUS_AUTH_CLIENT_ID
but .env used GNAUTH_CLIENT_ID.  Rename all Settings fields from
 gnexus_auth_* to gnauth_* so they map correctly to GNAUTH_* env vars.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add graceful auth-not-configured guards ...

- auth_login/auth_callback return 503 when GNAUTH_CLIENT_ID/SECRET are empty
- webhooks return 503 when OAuth not configured
- _resolve_user returns None early if auth not configured, avoiding crash
  during anonymous requests when gnexus-auth is not set up

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Support dynamic redirect_uri for multi-domain OAuth ...

- get_gauth_client(redirect_uri=...) creates per-request client with
  dynamic redirect_uri while keeping shared state/PKCE stores
- auth_login/auth_callback derive redirect_uri from request.base_url
  so both localhost and server addresses work with one gnexus-auth client

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Fix DDL race condition and PostgreSQL syntax error on startup ...

- _ensure_auth_tables now uses raw asyncpg.connect instead of get_session_store,
  avoiding PgSessionStore._MIGRATE running before navi_users exists
- Move _ensure_auth_tables before ensure_tables in startup so navi_users is
  created before any foreign-key references
- Replace invalid "ADD CONSTRAINT IF NOT EXISTS" with DO $$ block for
  memory_facts_user_cat_key

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Multi-user auth via gnexus-auth OAuth + hybrid role/permission model ...

- Integrate gnexus-auth-client-py (GAuthClient) for OAuth flow, token refresh,
  and webhook parsing
- Add navi/auth/ package: User model, Fernet encryptor, client singleton,
  deps (get_current_user, require_admin, require_permission)
- New tables: navi_users, user_auth_sessions (auto-created on startup)
- Session/memory isolation by user_id with legacy NULL support
- Cookie-based auth proxy: /auth/login, /callback, /logout, /me
- Webhook receiver /webhooks/gnexus-auth handling user events, global logout,
  session revocation, role/permission changes
- Admin endpoints (/admin/*) gated by role + permissions
- Webclient auth store with isAdmin/hasPermission guards
- Admin-only profile filtering in /agents/profiles
- 200/200 tests passing

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>