feat: add support for GitHub Models provider

- Introduced environment variable CLAUDE_CODE_USE_GITHUB to enable GitHub Models.
- Added checks for GITHUB_TOKEN or GH_TOKEN for authentication.
- Updated base URL handling to include GitHub Models default.
- Enhanced provider detection and error handling for GitHub Models.
- Updated relevant functions and components to accommodate the new provider.

docs/github-models-pr-draft.md

@@ -0,0 +1,24 @@
+# GitHub Models + onboard — PR draft (paste into GitHub)
+
+**Title:** `feat: GitHub Models provider + interactive onboard (keychain-backed)`
+
+**Body:**
+
+## Summary
+
+- Adds GitHub Models (`models.github.ai`) as an OpenAI-compatible backend via `CLAUDE_CODE_USE_GITHUB` (see existing shim changes).
+- Adds `/onboard-github`: interactive Ink flow for GitHub Device Login or PAT, stores token in OS-backed secure storage (macOS Keychain when available, else `~/.claude/.credentials.json`), and writes user settings `env` so no `export GITHUB_TOKEN` is required.
+- Applies user settings before provider env validation and hydrates `GITHUB_TOKEN` from secure storage when the GitHub provider flag is on.
+
+## How to test
+
+1. Run `openclaude` and execute `/onboard-github` (or launch via command registration).
+2. Complete device flow or paste a PAT with Models access.
+3. Restart CLI; confirm `CLAUDE_CODE_USE_GITHUB=1` in `~/.claude/settings.json` (or merged file) and that inference works without exporting `GITHUB_TOKEN`.
+4. `bun test` (new suites) + `bun run build`.
+
+## Notes / follow-ups
+
+- Device flow OAuth app client ID is configurable via `GITHUB_DEVICE_FLOW_CLIENT_ID`; verify scope list against current GitHub Models documentation.
+- `/logout` currently deletes all secure storage; GitHub token is cleared too — document or narrow in a follow-up.
+- Linux: secure storage is plaintext with chmod 600 today; libsecret is still TODO in `secureStorage`.