feat(settings): make Claude Code OAuth token configurable in UI

The OAuth token that authenticates the spawned `claude` CLI was only
readable from the container env, so an expired token meant editing
.env on the Unraid host and rebuilding. Now it can be rotated from
the Settings page like every other key.

- Adds CLAUDE_CODE_OAUTH_TOKEN to the settings registry and a "Claude"
  card at the top of the settings UI.
- loadPipelineEnv() injects the DB value into every spawned subprocess
  env (overrides the container env), covering both campaign launches
  and chat sessions.
- checkIntegrationStatus() validates the token by hitting the Anthropic
  messages API with a 1-token call, surfacing 401s as "Token expired
  or invalid" instead of a generic "Not connected".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

lib/settings.ts

@@ -2,6 +2,9 @@ import { prisma } from "./prisma";
 
 // Settings keys and their env var fallbacks
 const SETTINGS_KEYS = {
+  // Claude Code CLI authentication (OAuth access token from Claude Max)
+  CLAUDE_CODE_OAUTH_TOKEN: { envVar: "CLAUDE_CODE_OAUTH_TOKEN", label: "Claude Code OAuth Token", placeholder: "sk-ant-oat01-...", secret: true },
+
   // Postiz
   POSTIZ_URL: { envVar: "POSTIZ_URL", label: "Postiz URL", placeholder: "http://localhost:5000" },
   POSTIZ_API_KEY: { envVar: "POSTIZ_API_KEY", label: "Postiz API Key", placeholder: "your-postiz-api-key", secret: true },
@@ -23,6 +26,12 @@ export const SETTINGS_CONFIG = SETTINGS_KEYS;
 
 // Grouped for UI
 export const SETTINGS_GROUPS = [
+  {
+    name: "Claude",
+    description: "OAuth access token for the Claude Code CLI subprocess that drives every pipeline agent. Get one with `claude setup-token` then `security find-generic-password -s 'Claude Code-credentials' -a $(whoami) -w` and use the `claudeAiOauth.accessToken` field. Tokens expire — refresh here when launches start failing with auth errors.",
+    docsUrl: "https://docs.claude.com/en/docs/claude-code/setup",
+    keys: ["CLAUDE_CODE_OAUTH_TOKEN"] as SettingKey[],
+  },
   {
     name: "Postiz",
     description: "Self-hosted social media scheduling. Handles Instagram and TikTok publishing.",
@@ -100,6 +109,39 @@ export async function checkIntegrationStatus(): Promise<Record<string, { connect
   const settings = await getAllSettings();
   const status: Record<string, { connected: boolean; error?: string }> = {};
 
+  // Claude OAuth token — validate by hitting the messages API with a 1-token call.
+  // A valid OAuth token returns 200; an expired/invalid one returns 401.
+  if (settings.CLAUDE_CODE_OAUTH_TOKEN) {
+    try {
+      const res = await fetch("https://api.anthropic.com/v1/messages", {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "anthropic-version": "2023-06-01",
+          "anthropic-beta": "oauth-2025-04-20",
+          Authorization: `Bearer ${settings.CLAUDE_CODE_OAUTH_TOKEN}`,
+        },
+        body: JSON.stringify({
+          model: "claude-haiku-4-5-20251001",
+          max_tokens: 1,
+          messages: [{ role: "user", content: "." }],
+        }),
+        signal: AbortSignal.timeout(10000),
+      });
+      if (res.ok) {
+        status.claude = { connected: true };
+      } else if (res.status === 401) {
+        status.claude = { connected: false, error: "Token expired or invalid" };
+      } else {
+        status.claude = { connected: false, error: `HTTP ${res.status}` };
+      }
+    } catch (e) {
+      status.claude = { connected: false, error: e instanceof Error ? e.message : "Connection failed" };
+    }
+  } else {
+    status.claude = { connected: false, error: "Not configured" };
+  }
+
   // Postiz
   if (settings.POSTIZ_URL && settings.POSTIZ_API_KEY) {
     try {