fix: store OAuth linking token server-side, remove JWT from URL and audit log

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

drizzle/0007_linking_tokens.sql

@@ -0,0 +1,5 @@
+CREATE TABLE `linking_tokens` (
+  `id` text PRIMARY KEY NOT NULL,
+  `token` text NOT NULL,
+  `created_at` text NOT NULL
+);

drizzle/meta/_journal.json

@@ -36,6 +36,27 @@
       "when": 1770395358533,
       "tag": "0004_slimy_grim_reaper",
       "breakpoints": true
+    },
+    {
+      "idx": 5,
+      "version": "6",
+      "when": 1770395358534,
+      "tag": "0005_remove_static_response",
+      "breakpoints": true
+    },
+    {
+      "idx": 6,
+      "version": "6",
+      "when": 1770395358535,
+      "tag": "0006_remove_redirects",
+      "breakpoints": true
+    },
+    {
+      "idx": 7,
+      "version": "6",
+      "when": 1740441600000,
+      "tag": "0007_linking_tokens",
+      "breakpoints": true
     }
   ]
-}
+}