Treat requested OTP auth as globally available whenever an OTP auth method plugin is enabled, independent of per-user enabledAuthMethods. This keeps OTP usable for all users without requiring per-user method toggles.
Seed rms.auth.oauth plugin settings with a Google OIDC example while keeping the plugin disabled by default, add admin API/UI support to delete individual reservation entries, and extend auth flow handling for OAuth callback redirects and errors.
Introduce a new rms.auth.oauth auth method plugin for OAuth/OIDC code flow with standard provider settings (authorize/token/userinfo URLs, client credentials, scope, redirect URI and extra params). Add server callback handling and OAuth challenge state tracking, UI redirect/error handling, and keep the plugin disabled by default via manifest defaultEnabled=false.
Return auth.method_unavailable when a user requests an auth method that is not enabled for their account, rather than silently sending the smtp-link challenge. Also log requested/selected method details in auth.request_access audit entries for easier diagnostics.
Introduce a manual-release reservation hold on station state so auto slot activation is suppressed for the current reserved user until the reservation window ends or is removed. Clear the hold on activation/reservation updates and backfill missing hold fields for existing station state files.
Stop auto-activating reservation slots immediately after a manual station release. This ensures the 'Station deaktivieren' action actually leaves the station deactivated, while reservation ownership remains intact until the user deletes the reservation.
Add the reusable RMS core application (server, web UI, plugins, tests, tools) with generic defaults, GPL licensing, and maintainer context documentation so deployments can consume this repo as software source independent of station-specific overlays.
