feat(auth): add OAuth2 support for xAI with PKCE and token persistence

- Implemented xAI OAuth2 integration with PKCE (Proof Key for Code Exchange) support.
- Added logic for token exchange, refresh, and persistent storage in JSON format.
- Created `xai` package with helpers for OAuth discovery, API token handling, and URL building.
- Introduced `XAIExecutor` for integrating xAI credentials into runtime HTTP requests.
- Added unit tests to validate OAuth flow, token persistence, and endpoint validation.

sdk/cliproxy/service_xai_executor_binding_test.go

@@ -0,0 +1,36 @@
+package cliproxy
+
+import (
+	"testing"
+
+	"github.com/router-for-me/CLIProxyAPI/v7/internal/runtime/executor"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v7/sdk/cliproxy/auth"
+	"github.com/router-for-me/CLIProxyAPI/v7/sdk/config"
+)
+
+func TestEnsureExecutorsForAuth_XAIBindsIndependentExecutor(t *testing.T) {
+	service := &Service{
+		cfg:         &config.Config{},
+		coreManager: coreauth.NewManager(nil, nil, nil),
+	}
+	auth := &coreauth.Auth{
+		ID:       "xai-auth-1",
+		Provider: "xai",
+		Status:   coreauth.StatusActive,
+		Attributes: map[string]string{
+			"auth_kind": "oauth",
+		},
+	}
+
+	service.ensureExecutorsForAuth(auth)
+	resolved, ok := service.coreManager.Executor("xai")
+	if !ok || resolved == nil {
+		t.Fatal("expected xai executor after bind")
+	}
+	if _, isXAI := resolved.(*executor.XAIExecutor); !isXAI {
+		t.Fatalf("executor type = %T, want *executor.XAIExecutor", resolved)
+	}
+	if _, isCodex := resolved.(*executor.CodexAutoExecutor); isCodex {
+		t.Fatal("xai must not bind the codex auto executor")
+	}
+}