feat(transcript): public conversation-history detail page with Feishu OAuth (backend)

[uestney]

Summary

Add an opt-in public conversation-history detail page accessible from Feishu cards via a 📜 查看完整对话 markdown link. Page renders the complete turn history (assistant text + tool calls + tool results) from the Claude jsonl transcript, gated by Feishu OAuth + per-bot open_id whitelist.

This is the backend half. The matching frontend PR (feat/transcript-page-frontend) ships the React TranscriptView component and route registration in web/. Either PR can merge in any order — backend cards still render (just with a dead link until the frontend ships); the frontend page shows a friendly error against an old backend.

What's in this PR

• Three new HTTP routes (src/api/routes/transcript-routes.ts):
  • GET /api/auth/feishu/login?return=<url> — kicks off Feishu OAuth (passport.feishu.cn).
  • GET /api/auth/feishu/callback?code=...&state=... — verifies HMAC-signed state, exchanges code for open_id, signs an HttpOnly mb_session JWT cookie (7d), 302 to return.
  • GET /api/transcript/:chatId?turn=<n|all> — cookie + whitelist gated; returns parsed transcript JSON.
• OAuth helper (src/feishu/oauth.ts) — HMAC-signed state, OIDC token exchange, hand-rolled HS256 JWT (no jsonwebtoken dep). METABOT_SESSION_SECRET auto-generated to .env.local on first start.
• jsonl parser (src/session/transcript-reader.ts) — walks ~/.claude/projects/<workdir>/<sessionId>.jsonl, groups messages by turn (= user message boundaries), splits content[] into text / tool_use / tool_result, matches tool_use_id ↔ next-user-message's tool_result block.
• Path helpers in src/session/session-registry.ts — encodeWorkdir, projectTranscriptDir, sessionJsonlPath (storage-agnostic, no SQLite touched).
• Card markdown link — src/feishu/card-builder-v2.ts emits 📜 [查看完整对话历史](<publicBaseUrl>/web/transcript/<chatId>?turn=<n>) after the footer when the bot has transcriptLink set.
• Per-chat turn counter — MessageBridge increments a chatId → turnIndex map each turn, StreamProcessor.setTranscriptLink plumbs it into CardState.
• Typed config — publicBaseUrl?: string and transcriptAllowOpenIds?: string[] on each bot in bots.json. Without publicBaseUrl, the link is not rendered — fully backwards compatible.
• Auth exemptions in src/api/http-server.ts — /api/auth/feishu/* (browser hits, no Bearer header) and /api/transcript/* (cookie-authed) bypass the global Bearer check.

Whitelist precedence

1. bots.json → per-bot transcriptAllowOpenIds: string[] (recommended).
2. Fallback: .env → METABOT_TRANSCRIPT_ALLOW_OPEN_IDS (comma-separated).
3. Empty/missing → 403 with a friendly page that shows the logged-in user's open_id so the admin can copy/paste it into the whitelist.

Test plan

• npm run build — green.
• npm test — 323/323 passing (real tests/ dir; the 10 failures in stale _backup_dev/ are unrelated local-only files not on this branch).
• npm run lint — 0 errors (2 pre-existing warnings in unrelated files).
• OAuth round-trip from Feishu mobile + desktop (requires public deployment — being trialled on the SA bot at port 18443 behind a Caddy reverse-proxy to 127.0.0.1:10016).
• First-login whitelist bootstrap: confirm the 403 page surfaces open_id so admins can self-serve.
• Backwards compatibility: bot without publicBaseUrl → card renders exactly as before (no link), no warnings.

Not in this PR

• Frontend TranscriptView React component — separate PR.
• Real-time refresh / WebSocket — page is historical, REST-only.
• Comment / annotation / search across turns — future iteration.