fix: refactor auth settings to use api.ts, fix type alignment, OIDC token exchange

- Add auth management functions to api.ts (getAuthSettings, listUsers, etc.)
- Refactor auth settings page to use centralized api.ts instead of raw fetch (FUNC-H2)
- Add loading skeleton to auth settings page (UX-M16)
- Add exchangeOidcToken() for httpOnly cookie OIDC flow (SEC-H3)
- Fix Settings TypeScript type: has_npm_password boolean (FUNC-L)
- Add last_alive_at to Instance type (FUNC-L)

web/src/lib/auth.ts

@@ -28,3 +28,18 @@ export function clearAuth(): void {
 		localStorage.removeItem(TOKEN_KEY);
 	}
 }
+
+/** Exchanges the httpOnly OIDC cookie for a JWT token via the server endpoint. */
+export async function exchangeOidcToken(): Promise<string | null> {
+	try {
+		const res = await fetch('/api/auth/oidc/token', { method: 'POST' });
+		if (!res.ok) return null;
+		const envelope = await res.json();
+		if (envelope.success && envelope.data?.token) {
+			return envelope.data.token;
+		}
+		return null;
+	} catch {
+		return null;
+	}
+}