fix(cli): propagate --gateway-insecure to OIDC auth flows

[zanetworker]

Summary

--gateway-insecure was not propagated to OIDC HTTP clients, causing gateway add and gateway login to fail when the OIDC issuer uses a self-signed TLS certificate (common on OpenShift with edge-terminated routes).

The flag already existed and was documented, but only applied to gRPC connections to the gateway. OIDC discovery, token exchange, and token refresh always verified certificates regardless of the flag.

Related Issue

Fixes #1534

Changes

• Add insecure: bool parameter to discover(), http_client(), and all public OIDC functions in oidc_auth.rs
• When insecure=true, build reqwest client with danger_accept_invalid_certs(true)
• Add gateway_insecure: bool parameter to gateway_add() and gateway_login() in run.rs
• Pass cli.gateway_insecure at both call sites in main.rs
• Pass OPENSHELL_GATEWAY_INSECURE env var in the apply_auth token refresh path and completers.rs

Testing

• mise run pre-commit passes (lint, format, license headers)
• 9 new unit tests in oidc_auth.rs: client construction (secure/insecure), discovery failure paths, percent decoding, scope building, token bundle round-trip
• 133 total lib tests pass, 0 failures
• Manually verified on OpenShift with Keycloak using self-signed certs: gateway add --gateway-insecure --oidc-issuer https://... now completes OIDC discovery successfully

running 9 tests
test oidc_auth::tests::build_ci_scopes_empty_on_none ... ok
test oidc_auth::tests::percent_decode_basic ... ok
test oidc_auth::tests::build_scopes_deduplicates_openid ... ok
test oidc_auth::tests::build_scopes_always_includes_openid ... ok
test oidc_auth::tests::bundle_from_response_sets_fields ... ok
test oidc_auth::tests::http_client_insecure_builds_without_panic ... ok
test oidc_auth::tests::http_client_secure_rejects_self_signed ... ok
test oidc_auth::tests::discover_validates_issuer_mismatch ... ok
test oidc_auth::tests::discover_insecure_passes_flag_through ... ok

test result: ok. 9 passed; 0 failed; 0 ignored

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests not applicable (OIDC e2e requires Keycloak + gateway with self-signed certs)

Follow-up

This fix makes --gateway-insecure apply uniformly to both gRPC and OIDC HTTP connections. A better long-term solution would be a --oidc-ca-cert <path> CLI flag that lets users trust a specific CA for the OIDC issuer without disabling verification entirely. The server side already supports this via oidc.caConfigMapName in the Helm chart (PR #1373). The CLI equivalent would complete the story.

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (not applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[TaylorMutch]

/ok to test 8f53cfa