feat(proxy): embeddings + actor overrides + oauth callback paste + response-item compat

[joeblack2k]

Summary

• add OpenAI-compatible /v1/embeddings proxy endpoint with dedicated upstream routing
• add actor-aware override engine (per API key / app / IP) with optional forced model + reasoning effort
• add global "force everything" model/effort controls in Settings
• add request-log actor fields so usage can be attributed by app/IP/key
• add OAuth callback paste flow in Accounts UI (manual callback URL completion)
• add local response reference compatibility cache for store=false clients (OpenClaw-style chaining)
• add hardening for nested item_reference and rs_/resp_ id inputs in responses payloads
• add README docs for correct embeddings sidecar deployment (ollama/ollama) and required env wiring

Why

• Make codex-lb practical as a single OpenAI-compatible gateway for OpenClaw/Codex-style clients.
• Preserve memory/vector flows by providing a working embeddings path.
• Give operators deterministic routing and auditability when mixed clients hit the same gateway.
• Avoid OAuth callback dead-ends on non-localhost callback behavior.
• Reduce 404 regressions from response-item reference behavior when upstream requires store=false.
• Prevent deployment mistakes that produce /v1/embeddings 502 by documenting the required sidecar runtime.

Validation

• integration tests added for embeddings, settings/model-overrides, OAuth flow, and response-reference compatibility
• unit tests added for balancer and response-reference compatibility logic
• homelab runtime checks:
  • local /v1/embeddings -> HTTP 200
  • local /v1/chat/completions -> HTTP 200
  • public no-auth /v1/embeddings -> HTTP 401 (expected when key auth enforced)