feat(models): add Z.AI (GLM) credential integration and setup flow

Implement first-class Z.AI credential storage and authentication:

- New auth provider: src/auth/zai.ts for Z.AI API key management
- New CLI command: flynn zai-auth to store Z.AI API keys
- New TUI command: /login zai for interactive credential entry
- Modified src/auth/index.ts to register zai provider
- Modified src/cli/index.ts to register zai-auth command
- Modified src/cli/setup/providers.ts to include Z.AI in setup wizard
- Modified src/daemon/models.ts to support zhipuai use_oauth flag
- Modified src/daemon/clientFactory.test.ts to add Z.AI tests
- Modified src/frontends/tui/commands.ts to add login command
- Modified src/frontends/tui/minimal.ts to support credential prompts

This allows users to authenticate with Z.AI (GLM models) without
embedding secrets in config files. Credentials are stored securely in
~/.config/flynn/auth.json and resolved at runtime.

Updated state.json with new feature entry documenting the integration.

src/cli/zai-auth.ts

@@ -0,0 +1,59 @@
+import type { Command } from 'commander';
+import readline from 'readline';
+import { loadStoredZaiAuth, storeZaiAuth } from '../auth/index.js';
+
+async function promptHidden(question: string): Promise<string> {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout, terminal: true });
+  const rlAny = rl as unknown as { stdoutMuted?: boolean; _writeToOutput?: (s: string) => void };
+  rlAny.stdoutMuted = true;
+
+  rlAny._writeToOutput = (s: string) => {
+    if (!rlAny.stdoutMuted) {
+      process.stdout.write(s);
+      return;
+    }
+    // Mask input characters, but preserve newlines.
+    if (s.includes('\n')) {
+      process.stdout.write('\n');
+    } else {
+      process.stdout.write('*');
+    }
+  };
+
+  const answer = await new Promise<string>((resolve) => rl.question(question, resolve));
+  rlAny.stdoutMuted = false;
+  rl.close();
+  process.stdout.write('\n');
+  return answer.trim();
+}
+
+export function registerZaiAuthCommand(program: Command): void {
+  program
+    .command('zai-auth')
+    .description('Store a Z.AI API key for the zhipuai provider (auth.json)')
+    .action(async () => {
+      const existing = loadStoredZaiAuth();
+      if (existing) {
+        console.log('Z.AI credential already exists.');
+        console.log('Delete ~/.config/flynn/auth.json zai/zhipuai entry if you want to re-authenticate.');
+        process.exit(0);
+      }
+
+      console.log('Z.AI uses API keys (HTTP Bearer), not an OAuth device flow.');
+      console.log('Create a key at: https://z.ai/manage-apikey/apikey-list');
+      console.log('');
+
+      try {
+        const apiKey = await promptHidden('Enter Z.AI API key: ');
+        storeZaiAuth(apiKey);
+        console.log('');
+        console.log('Z.AI credential stored in ~/.config/flynn/auth.json');
+        console.log('');
+        console.log('Tip: For GLM Coding Plan set model endpoint to: https://api.z.ai/api/coding/paas/v4');
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(`Z.AI auth failed: ${message}`);
+        process.exit(1);
+      }
+    });
+}