fix: prevent nil-panic on server and improve OAuth callback handling

Load config eagerly during server startup so sortByUrgency never
hits a nil config. Add nil-guard in BuildUrgencyCoefficients as
belt-and-suspenders defense. Fix OAuth callback to support both
GET and POST, and resolve issuer URLs properly with path.Dir.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

opal-task/internal/api/handlers/oauth.go

@@ -39,7 +39,22 @@ func GetLoginURL(w http.ResponseWriter, r *http.Request) {
 
 // OAuthCallback handles the OAuth callback
 func OAuthCallback(w http.ResponseWriter, r *http.Request) {
-	code := r.URL.Query().Get("code")
+	var code string
+
+	// Support both GET (direct OAuth redirect) and POST (frontend exchange)
+	if r.Method == http.MethodPost {
+		var req struct {
+			Code string `json:"code"`
+		}
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			errorResponse(w, http.StatusBadRequest, "invalid request body")
+			return
+		}
+		code = req.Code
+	} else {
+		code = r.URL.Query().Get("code")
+	}
+
 	if code == "" {
 		errorResponse(w, http.StatusBadRequest, "missing code parameter")
 		return

opal-task/internal/api/server.go

@@ -41,6 +41,7 @@ func (s *Server) setupRoutes() {
 
 	// OAuth endpoints (no auth required)
 	r.Get("/auth/login", handlers.GetLoginURL)
+	r.Get("/auth/callback", handlers.OAuthCallback)
 	r.Post("/auth/callback", handlers.OAuthCallback)
 	r.Post("/auth/refresh", handlers.RefreshToken)
 	r.Post("/auth/logout", handlers.Logout)