fix: prevent nil-panic on server and improve OAuth callback handling

Load config eagerly during server startup so sortByUrgency never
hits a nil config. Add nil-guard in BuildUrgencyCoefficients as
belt-and-suspenders defense. Fix OAuth callback to support both
GET and POST, and resolve issuer URLs properly with path.Dir.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

opal-task/internal/auth/oauth.go

@@ -6,10 +6,23 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"net/url"
+	"path"
 
 	"golang.org/x/oauth2"
 )
 
+// issuerBase resolves ".." to get the base OAuth path from the issuer URL.
+// e.g. "https://auth.example.com/application/o/app/" -> "https://auth.example.com/application/o/"
+func issuerBase(issuer string) string {
+	u, err := url.Parse(issuer)
+	if err != nil {
+		return issuer
+	}
+	u.Path = path.Dir(path.Clean(u.Path)) + "/"
+	return u.String()
+}
+
 type OAuthClient struct {
 	config *oauth2.Config
 	cfg    *Config
@@ -22,8 +35,8 @@ func NewOAuthClient(cfg *Config) *OAuthClient {
 			ClientSecret: cfg.OAuthClientSecret,
 			RedirectURL:  cfg.OAuthRedirectURI,
 			Endpoint: oauth2.Endpoint{
-				AuthURL:  cfg.OAuthIssuer + "../authorize/",
-				TokenURL: cfg.OAuthIssuer + "../token/",
+				AuthURL:  issuerBase(cfg.OAuthIssuer) + "authorize/",
+				TokenURL: issuerBase(cfg.OAuthIssuer) + "token/",
 			},
 			Scopes: []string{"openid", "profile", "email"},
 		},
@@ -47,7 +60,7 @@ type UserInfo struct {
 }
 
 func (c *OAuthClient) GetUserInfo(ctx context.Context, accessToken string) (*UserInfo, error) {
-	req, err := http.NewRequestWithContext(ctx, "GET", c.cfg.OAuthIssuer+"../userinfo/", nil)
+	req, err := http.NewRequestWithContext(ctx, "GET", issuerBase(c.cfg.OAuthIssuer)+"userinfo/", nil)
 	if err != nil {
 		return nil, err
 	}