feat(auth): 服务端托管 Google OAuth；修复未解锁 vault 时 bootstrap

- API：桌面登录 session、Google 托管回调与轮询
- Desktop：轮询登录；bootstrap 在 vault 未解锁时不返回 shell，避免跳过主密码
- 文档与 deploy/.env.example 对齐 GOOGLE_OAUTH_* 与 SECRETS_PUBLIC_BASE_URL

crates/infrastructure-db/src/migrate.rs

@@ -69,6 +69,28 @@ pub async fn migrate_current_schema(pool: &PgPool) -> Result<()> {
         CREATE INDEX IF NOT EXISTS idx_auth_events_device_id_created_at
             ON auth_events(device_id, created_at DESC);
 
+        CREATE TABLE IF NOT EXISTS desktop_login_sessions (
+            session_id          TEXT PRIMARY KEY,
+            oauth_state         TEXT NOT NULL UNIQUE,
+            pkce_verifier       TEXT NOT NULL,
+            device_name         VARCHAR(256) NOT NULL,
+            platform            VARCHAR(64) NOT NULL,
+            client_version      VARCHAR(64) NOT NULL,
+            device_fingerprint  TEXT NOT NULL,
+            status              VARCHAR(32) NOT NULL DEFAULT 'pending',
+            error_message       TEXT,
+            user_id             UUID REFERENCES users(id) ON DELETE SET NULL,
+            device_id           UUID REFERENCES devices(id) ON DELETE SET NULL,
+            device_token        TEXT,
+            device_token_hash   TEXT,
+            expires_at          TIMESTAMPTZ NOT NULL,
+            consumed_at         TIMESTAMPTZ,
+            created_at          TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+            updated_at          TIMESTAMPTZ NOT NULL DEFAULT NOW()
+        );
+        CREATE INDEX IF NOT EXISTS idx_desktop_login_sessions_status_expires
+            ON desktop_login_sessions(status, expires_at);
+
         CREATE TABLE IF NOT EXISTS vault_objects (
             object_id         UUID PRIMARY KEY,
             user_id           UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,