feat(oidc): Enabled toggle on OIDCProvider (MED-9)

Audit 2026-05-10 Fix 13 Phase B — close MED-9. MED-4/5/6/7 deferred to v3.

MED-9: ship the OIDCProvider.Enabled boolean. Pre-fix, the only way
to take a provider offline during an incident was DELETE, which
breaks active user_oidc_provider FK references and orphans any
session that minted under the provider. Post-fix:

  - Migration 000042 adds enabled BOOLEAN NOT NULL DEFAULT TRUE.
    Default-true means existing pre-migration rows are all enabled
    post-deploy; no breaking-change window.
  - internal/auth/oidc/domain/types.go::OIDCProvider.Enabled ships
    the domain field with JSON tag 'enabled'.
  - Repository read/write paths (List, Get, GetByName, Create, Update)
    all carry the column.
  - internal/auth/oidc/service.go::HandleAuthRequest rejects with
    the new ErrProviderDisabled sentinel when cfgRow.Enabled=false.
  - cmd/server/main.go::oidcProvidersListAdapter.List filters
    disabled providers before constructing OIDCProviderInfo so the
    LoginPage's 'Sign in with X' buttons never render for offline
    IdPs.
  - Defense-in-depth: the ErrProviderDisabled service-layer check
    is the guard for direct API / MCP / CLI callers that bypass the
    GUI.

Regression test: internal/auth/oidc/provider_enabled_test.go warms
the entry cache via a successful HandleAuthRequest, flips
cfgRow.Enabled=false on the cached entry, then asserts the next call
returns ErrProviderDisabled (errors.Is). Test fixtures (newValidProvider,
makeProvider) updated to set Enabled: true so existing tests stay
green.

Operators can toggle Enabled today via the existing PUT
/api/v1/auth/oidc/providers/{id} body field. A dedicated GUI
toggle on OIDCProviderDetailPage and a single-purpose PUT-just-enabled
endpoint are deferred to the v3 GUI-polish bundle — the load-bearing
wire is in place now.

MED-4 (GUI advanced fields on edit), MED-5 (POST .../test endpoint
+ button), MED-6 (JWKS auto-refresh on cache-miss), MED-7 (JWKS
health endpoint + GUI panel): DEFERRED to v3 with explicit
annotations in the audit doc. Workarounds: MED-4 fields are
PUT-editable via curl/MCP; MED-5 → call refresh post-create;
MED-6 → call refresh manually on key rotation.

Refs: cowork/auth-bundles-audit-2026-05-10.md MED-4, MED-5, MED-6,
      MED-7, MED-9
Spec: cowork/auth-bundles-fixes-2026-05-10/13-med-bundle.md Phase B

internal/auth/oidc/service.go

@@ -231,6 +231,14 @@ var (
 	// includes `email` and the IdP releases the claim.
 	ErrEmailMissingButRequired = errors.New("oidc: provider requires email but token has none")
 
+	// ErrProviderDisabled signals the operator has flipped
+	// OIDCProvider.Enabled=false on the matched provider. HandleAuthRequest
+	// rejects with this sentinel so the LoginPage doesn't initiate a
+	// handshake; AuthInfo's provider list filters disabled providers
+	// out so the LoginPage button doesn't appear in the first place.
+	// Audit 2026-05-10 MED-9 closure.
+	ErrProviderDisabled = errors.New("oidc: provider is disabled")
+
 	// ErrGroupsUnmapped: the user's groups don't match any of the
 	// operator's group_role_mappings for this provider. No session
 	// minted; audit row records auth.oidc_login_unmapped_groups.
@@ -312,6 +320,13 @@ func (s *Service) HandleAuthRequest(ctx context.Context, providerID string) (aut
 	if err != nil {
 		return "", "", "", err
 	}
+	// Audit 2026-05-10 MED-9 closure — refuse to mint a pre-login row
+	// for a disabled provider. The LoginPage's AuthInfo filter should
+	// already prevent the button from rendering, but defense-in-depth
+	// catches the direct-API/MCP/CLI invocation path too.
+	if entry.cfgRow != nil && !entry.cfgRow.Enabled {
+		return "", "", "", ErrProviderDisabled
+	}
 
 	state, err := randomB64URL(32)
 	if err != nil {