Native GitHub auth for route protection

Miren v0.8.0 route-protection works directly for OIDC-compliant providers (Google, GitLab, Keycloak) but falls off for GitHub, because GitHub doesn't expose an OIDC endpoint. The current answer is "stand up Dex," which means anyone who wants 'log in with GitHub' for their app gets pointed at running a federation server. Most teams write their own OAuth flow instead; the rfd app sitting next door has ~400 LOC of that workaround in tree.

Plan: embed Dex's connector packages (Apache-2.0, clean CallbackConnector interface, ~14 production-grade upstream implementations) as a Go library inside Miren's route-protection code. Add miren auth provider add --connector github --org ... as the surface. GitHub first; other connectors land cheaply once the interface is in place. Managed Dex as a cluster component stays out of scope (separate discussion if/when we want Miren to be an OIDC issuer for downstream clients).

Dogfood path: rfd is the natural first internal user, but the full conversion also depends on pass-through auth (MIR-889) so that some rfds can render to logged-out visitors. With both shipped, rfd's internal/cli/auth.go deletes.