Add the OAuthCode model for storing short-lived authorization codes with PKCE challenges. Codes are hashed (SHA-256) before storage and are single-use with a 10-minute expiry. Add the database migration and OAuth-specific error types.