refactor(providers): move auth status checks into provider runtimes

Move provider authentication status logic out of the CLI auth route so auth checks
live with the provider implementations that understand each provider's install
and credential model.

Add provider-specific auth runtime classes for Claude, Codex, Cursor, and Gemini,
and expose them through the shared provider contract as `provider.auth`. Add a
provider auth service that resolves providers through the registry and delegates
status checks via `auth.getStatus()`.

Keep the existing `/api/cli/<provider>/status` endpoints, but make them thin route
adapters over the new provider auth service. This removes duplicated route-local
credential parsing and makes auth status a first-class provider capability beside
MCP and message handling.

server/modules/providers/shared/base/abstract.provider.ts

@@ -1,4 +1,4 @@
-import type { IProvider, IProviderMcpRuntime } from '@/shared/interfaces.js';
+import type { IProvider, IProviderAuthRuntime, IProviderMcpRuntime } from '@/shared/interfaces.js';
 import type {
   FetchHistoryOptions,
   FetchHistoryResult,
@@ -9,12 +9,14 @@ import type {
 /**
  * Shared provider base.
  *
- * Concrete providers must implement message normalization and history loading
- * because both behaviors depend on each provider's native SDK/CLI event format.
+ * Concrete providers must expose auth/MCP runtimes and implement message
+ * normalization/history loading because those behaviors depend on native
+ * SDK/CLI formats.
  */
 export abstract class AbstractProvider implements IProvider {
   readonly id: LLMProvider;
   abstract readonly mcp: IProviderMcpRuntime;
+  abstract readonly auth: IProviderAuthRuntime;
 
   protected constructor(id: LLMProvider) {
     this.id = id;