feat(auth): B-2.4 OAuth Microsoft/Google + magic link (Loi 25 deferred consent)

Adds Microsoft 365 + Google OAuth providers (separate from the existing
generic OIDC SSO at src/auth/sso.py) and a passwordless magic-link login
flow. New OAuth signups capture Loi 25 art. 14 consents (4 granular
checkboxes) BEFORE creating the User row via /auth/oauth/finish-signup.

Per compatibility-audit.md C2:
- No src/auth_extended/ directory — extends src/auth/ in place
- No new User columns — reuses sso_provider/sso_subject + email_verified
- Magic-link tokens via itsdangerous URLSafeTimedSerializer (15-min, no DB)
- All routes added to existing auth_bp; templates extend marketing/base.html
- Anti-enumeration on /auth/magic-link (generic flash for unknown OR
  unverified emails) and /auth/magic-link/<token> (same flash for
  invalid/expired/unverified-user)

Files added:
- src/auth/oauth_providers.py — Microsoft + Google OAuth registration,
  is_oauth_provider_enabled(), find_user_by_oauth(), create_oauth_user_with_consent()
- src/auth/magic_link.py — generate/consume magic-link tokens
- templates/auth/magic_link_request.html, templates/auth/oauth_finish_signup.html
- tests/test_oauth_magic_link.py + tests/_run_oauth_magic_link_windows.py (16 tests)
- config/env.oauth.example

Files modified:
- src/api/auth.py — 5 new routes (oauth_provider_login/callback,
  oauth_finish_signup, magic_link_request/consume); login flashes translated FR;
  oauth_*_enabled flags passed to login template
- src/app.py — wires init_oauth_providers(app) after blueprint registration
- src/services/email.py — adds send_magic_link_email() (FR + DictIA brand)
- templates/login.html — refondu IN PLACE (was 178 lines legacy Vue/TW3)
  to extend marketing/base.html with OAuth buttons, password form,
  magic-link CTA, signup link
- templates/auth/check_email.html — adds action='magic_link' branch
- static/css/tailwind.config.js — adds templates/login.html to content
- static/css/marketing.css — rebuilt

Tests: 16/16 PASS via Windows manual driver.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/auth/magic_link.py

@@ -0,0 +1,40 @@
+"""Magic link login (B-2.4).
+
+Stateless tokens via ``itsdangerous`` (no DB column). Same pattern as
+``src/services/email.py:generate_verification_token`` — token contains
+the user_id; ``max_age`` is 15 minutes.
+
+The compatibility-audit (C2) explicitly forbids new User columns
+(no ``magic_link_token``, no ``magic_link_sent_at``). Single-use enforcement
+is intentionally NOT implemented at this layer because the cost of a
+short-window replay (≤15 min, requires the user's email) is acceptable
+for the threat model — the user opened the email and clicked the link.
+If single-use becomes a hard requirement later, add an ip + sent_at index
+to a separate magic-link audit table without touching User.
+"""
+from typing import Optional
+
+from itsdangerous import URLSafeTimedSerializer, SignatureExpired, BadSignature
+from flask import current_app
+
+MAGIC_LINK_EXPIRY_SECONDS = 15 * 60  # 15 minutes
+_SALT = 'magic-link-login'
+
+
+def _serializer() -> URLSafeTimedSerializer:
+    """Build a fresh serializer per call (cheap; reads SECRET_KEY from app config)."""
+    secret_key = current_app.config.get('SECRET_KEY', 'default-dev-key')
+    return URLSafeTimedSerializer(secret_key, salt=_SALT)
+
+
+def generate_magic_link_token(user_id: int) -> str:
+    """Sign a magic-link token containing the user_id."""
+    return _serializer().dumps(user_id)
+
+
+def consume_magic_link_token(token: str) -> Optional[int]:
+    """Return user_id if token is valid and unexpired, else None."""
+    try:
+        return _serializer().loads(token, max_age=MAGIC_LINK_EXPIRY_SECONDS)
+    except (SignatureExpired, BadSignature):
+        return None