refactor: add OAuth support to provider registry system

- Add is_oauth and oauth_provider fields to ProviderSpec
- Update _make_provider() to use registry for OAuth provider detection
- Update get_provider() to support OAuth providers (no API key required)
- Mark OpenAI Codex as OAuth-based provider in registry

This improves the provider registry architecture to support OAuth-based
authentication flows, making it extensible for future OAuth providers.

Benefits:
- OAuth providers are now registry-driven (not hardcoded)
- Extensible design: new OAuth providers only need registry entry
- Backward compatible: existing API key providers unaffected
- Clean separation: OAuth logic centralized in registry

nanobot/config/schema.py

@@ -132,15 +132,19 @@ class Config(BaseSettings):
         model_lower = (model or self.agents.defaults.model).lower()
 
         # Match by keyword (order follows PROVIDERS registry)
+        # Note: OAuth providers don't require api_key, so we check is_oauth flag
         for spec in PROVIDERS:
             p = getattr(self.providers, spec.name, None)
-            if p and any(kw in model_lower for kw in spec.keywords) and p.api_key:
-                return p
+            if p and any(kw in model_lower for kw in spec.keywords):
+                # OAuth providers don't need api_key
+                if spec.is_oauth or p.api_key:
+                    return p
 
         # Fallback: gateways first, then others (follows registry order)
+        # OAuth providers are also valid fallbacks
         for spec in PROVIDERS:
             p = getattr(self.providers, spec.name, None)
-            if p and p.api_key:
+            if p and (spec.is_oauth or p.api_key):
                 return p
         return None