-- OIDC front-channel logout support (per-provider opt-in). -- Front-channel logout is browser-mediated: on an IdP-initiated logout the IdP -- renders the RP's frontchannel_logout_uri in a hidden iframe, passing `iss` -- and `sid` query params. codit terminates the matching session by `sid` -- (cookie-independent, so it survives cross-site iframe cookie restrictions), -- reusing the same oidc_sid capture and issuer validation as back-channel -- logout. The flag gates whether a provider advertises/accepts the endpoint. ALTER TABLE auth_providers ADD COLUMN oidc_frontchannel_logout_enabled INTEGER NOT NULL DEFAULT 0;