Split-out of the "split oidc.rs" item from #1249.

src/webserver/oidc.rs is the largest file in the codebase at 1556 lines (wc -l src/webserver/oidc.rs). Anyone touching cookie flags has to scroll past JWT verifier generics, HMAC logout signing, the awc transport adapter, and ~12 large openidconnect type aliases. These concerns are independent of each other, and the file's coupling to the rest of the codebase is tiny, so the split is low-risk and high-payoff.

External surface is only 5 symbols

$ grep -rn "oidc::" src | grep -v "src/webserver/oidc.rs"
src/lib.rs:89:use crate::webserver::oidc::OidcState;
src/lib.rs:138: let oidc_state = crate::webserver::oidc::initialize_oidc_state(config).await?;
src/webserver/http.rs:27:use super::oidc::OidcMiddleware;
src/webserver/http_request_info.rs:28:use super::oidc::OidcClaims;
src/webserver/database/sqlpage_functions/functions.rs:1058: if !crate::webserver::oidc::is_safe_relative_redirect(redirect_uri) {

So the entire 1556-line file is reached from outside through just OidcState, initialize_oidc_state, OidcMiddleware, OidcClaims, and is_safe_relative_redirect. A split is almost entirely internal and mechanical.

The concerns are physically interleaved

(line ranges at HEAD 162f996)

• Config / path matching (OidcConfig, is_public_path, get_app_host) talks only to AppConfig.
• Provider discovery + client build (OidcSnapshot, OidcState, maybe_refresh, build_oidc_client, make_oidc_client) plus the ~12 large openidconnect type aliases (OidcToken, OidcClaims, OidcTokenResponse, OidcClient) that visually dominate the file.
• Actix middleware / request routing (OidcMiddleware, OidcService, handle_request and the handle_* family).
• Token exchange + claim/nonce verification (process_oidc_callback, exchange_code_for_token, check_nonce, AudienceVerifier).
• Cookie/session + redirect plumbing (the *_cookie builders such as set_auth_cookie and create_tmp_login_flow_state_cookie, HMAC logout signing compute_logout_signature / verify_logout_params, is_safe_relative_redirect, build_redirect_response).
• A generic awc transport adapter (AwcHttpClient, ~110 lines through AwcWrapperError) implementing openidconnect::AsyncHttpClient over awc. This is not OIDC-specific. It is pub but used only within this file, so it should move to its own module where it becomes independently unit-testable.

Proposed change

Convert to a directory module:

oidc/
 mod.rs // re-exports the ~5 public symbols
 config.rs // OidcConfig, is_public_path, get_app_host
 discovery.rs // OidcState/OidcSnapshot, maybe_refresh, client build, type aliases
 middleware.rs // OidcMiddleware/OidcService, handle_request + handle_*
 flow.rs // callback / token exchange / claim + nonce verification
 session.rs // cookie builders, logout signing, redirect safety
 http_client.rs // the AwcHttpClient adapter (now independently testable)

Do not regress the good existing state

Two things must be preserved by the move:

• The real integration suite at tests/oidc/mod.rs (882 lines) spins up an embedded mock IdP (discovery/jwks/token endpoints) and covers the happy path, CSRF/nonce/signature/audience/issuer/expiry rejection, site-prefix, session-bound logout, and slow-discovery non-blocking behavior.
• The lock-free read discipline: OidcState::snapshot() returns an Arc<OidcSnapshot> so request handling never holds the RwLock across .await. The split must keep this intact.

Risks and mitigations

Purely mechanical move, no behavior change. Mitigations:

• Keep the public re-exports in mod.rs so no external code changes (the 5 call sites above stay byte-for-byte identical).
• Rely on the existing OIDC integration tests above to catch any wiring mistake.

Expected win

Navigable auth code; the transport adapter becomes unit-testable in isolation; and it is a prerequisite for any future second-IdP or server-side-session work.