feat(auth): B-2.4 OAuth Microsoft/Google + magic link (Loi 25 deferred consent)

Adds Microsoft 365 + Google OAuth providers (separate from the existing
generic OIDC SSO at src/auth/sso.py) and a passwordless magic-link login
flow. New OAuth signups capture Loi 25 art. 14 consents (4 granular
checkboxes) BEFORE creating the User row via /auth/oauth/finish-signup.

Per compatibility-audit.md C2:
- No src/auth_extended/ directory — extends src/auth/ in place
- No new User columns — reuses sso_provider/sso_subject + email_verified
- Magic-link tokens via itsdangerous URLSafeTimedSerializer (15-min, no DB)
- All routes added to existing auth_bp; templates extend marketing/base.html
- Anti-enumeration on /auth/magic-link (generic flash for unknown OR
  unverified emails) and /auth/magic-link/<token> (same flash for
  invalid/expired/unverified-user)

Files added:
- src/auth/oauth_providers.py — Microsoft + Google OAuth registration,
  is_oauth_provider_enabled(), find_user_by_oauth(), create_oauth_user_with_consent()
- src/auth/magic_link.py — generate/consume magic-link tokens
- templates/auth/magic_link_request.html, templates/auth/oauth_finish_signup.html
- tests/test_oauth_magic_link.py + tests/_run_oauth_magic_link_windows.py (16 tests)
- config/env.oauth.example

Files modified:
- src/api/auth.py — 5 new routes (oauth_provider_login/callback,
  oauth_finish_signup, magic_link_request/consume); login flashes translated FR;
  oauth_*_enabled flags passed to login template
- src/app.py — wires init_oauth_providers(app) after blueprint registration
- src/services/email.py — adds send_magic_link_email() (FR + DictIA brand)
- templates/login.html — refondu IN PLACE (was 178 lines legacy Vue/TW3)
  to extend marketing/base.html with OAuth buttons, password form,
  magic-link CTA, signup link
- templates/auth/check_email.html — adds action='magic_link' branch
- static/css/tailwind.config.js — adds templates/login.html to content
- static/css/marketing.css — rebuilt

Tests: 16/16 PASS via Windows manual driver.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/services/email.py

@@ -430,6 +430,75 @@ Si vous n'avez pas demandé de réinitialisation, ignorez ce courriel — votre
     return _send_email(user.email, subject, html_body, text_body)
 
 
+def send_magic_link_email(user, magic_url: str) -> bool:
+    """Send a magic-link login email (B-2.4).
+
+    Args:
+        user: User model instance (must have .email; .name preferred for display).
+        magic_url: Absolute URL to the magic-link consume endpoint.
+
+    The token itself is generated by ``src.auth.magic_link.generate_magic_link_token``
+    and embedded in ``magic_url`` by the caller — this function only renders
+    + sends the email. Stateless tokens (no DB column).
+
+    Returns True if the email was sent successfully, False otherwise.
+    """
+    if not is_smtp_configured():
+        logger.warning("Cannot send magic-link email: SMTP not configured")
+        return False
+
+    # Display name preferred over username; fallback chain handles None/empty
+    # name AND the schema-improbable case where username is also missing.
+    # HTML body MUST escape user-controlled name to prevent stored XSS;
+    # text body uses raw string (plaintext has no XSS surface).
+    raw_display_name = (
+        (getattr(user, 'name', None) or '').strip()
+        or user.username
+        or 'utilisateur'
+    ).strip()
+    display_name_html = html_escape(raw_display_name)
+    display_name_text = raw_display_name
+
+    subject = "Votre lien de connexion DictIA"
+
+    content_html = f"""
+<h2 style="color: #060d1a; margin: 0 0 24px 0; font-size: 24px; font-weight: 700;">Votre lien de connexion</h2>
+
+<p style="color: #374151; margin: 0 0 16px 0; font-size: 16px;">Bonjour {display_name_html},</p>
+
+<p style="color: #374151; margin: 0 0 24px 0; font-size: 16px;">
+    Cliquez sur le bouton ci-dessous pour vous connecter à DictIA sans mot de passe. Ce lien est à usage personnel et expire rapidement.
+</p>
+
+<div style="text-align: center; margin: 32px 0;">
+    <a href="{magic_url}" style="display: inline-block; background-color: #0062ff; color: #ffffff; text-decoration: none; padding: 14px 32px; border-radius: 8px; font-weight: 600; font-size: 16px;">Se connecter à DictIA</a>
+</div>
+
+<p style="color: #4b5563; font-size: 14px; margin: 24px 0 8px 0;">Ou copiez-collez ce lien dans votre navigateur :</p>
+<p style="word-break: break-all; color: #0062ff; font-size: 14px; margin: 0; padding: 12px; background-color: #f7f9fc; border-radius: 6px;">{magic_url}</p>
+
+<div style="margin-top: 32px; padding-top: 24px; border-top: 1px solid #e6ebf2;">
+    <p style="color: #4b5563; font-size: 13px; margin: 0;">
+        <strong>Ce lien expire dans 15&nbsp;minutes.</strong><br>
+        Si vous n'avez pas demandé ce lien de connexion, ignorez ce courriel — votre compte reste sécurisé.
+    </p>
+</div>
+"""
+
+    content_text = f"""Bonjour {display_name_text},
+
+Cliquez sur le lien ci-dessous pour vous connecter à DictIA sans mot de passe :
+
+{magic_url}
+
+Ce lien expire dans 15 minutes.
+
+Si vous n'avez pas demandé ce lien de connexion, ignorez ce courriel — votre compte reste sécurisé."""
+
+    html_body, text_body = _get_email_template(content_html, content_text, subject)
+    return _send_email(user.email, subject, html_body, text_body)
+
+
 def can_resend_verification(user) -> tuple[bool, Optional[int]]:
     """
     Check if a verification email can be resent.