feat(auth): B-2.4 OAuth Microsoft/Google + magic link (Loi 25 deferred consent)

Adds Microsoft 365 + Google OAuth providers (separate from the existing
generic OIDC SSO at src/auth/sso.py) and a passwordless magic-link login
flow. New OAuth signups capture Loi 25 art. 14 consents (4 granular
checkboxes) BEFORE creating the User row via /auth/oauth/finish-signup.

Per compatibility-audit.md C2:
- No src/auth_extended/ directory — extends src/auth/ in place
- No new User columns — reuses sso_provider/sso_subject + email_verified
- Magic-link tokens via itsdangerous URLSafeTimedSerializer (15-min, no DB)
- All routes added to existing auth_bp; templates extend marketing/base.html
- Anti-enumeration on /auth/magic-link (generic flash for unknown OR
  unverified emails) and /auth/magic-link/<token> (same flash for
  invalid/expired/unverified-user)

Files added:
- src/auth/oauth_providers.py — Microsoft + Google OAuth registration,
  is_oauth_provider_enabled(), find_user_by_oauth(), create_oauth_user_with_consent()
- src/auth/magic_link.py — generate/consume magic-link tokens
- templates/auth/magic_link_request.html, templates/auth/oauth_finish_signup.html
- tests/test_oauth_magic_link.py + tests/_run_oauth_magic_link_windows.py (16 tests)
- config/env.oauth.example

Files modified:
- src/api/auth.py — 5 new routes (oauth_provider_login/callback,
  oauth_finish_signup, magic_link_request/consume); login flashes translated FR;
  oauth_*_enabled flags passed to login template
- src/app.py — wires init_oauth_providers(app) after blueprint registration
- src/services/email.py — adds send_magic_link_email() (FR + DictIA brand)
- templates/login.html — refondu IN PLACE (was 178 lines legacy Vue/TW3)
  to extend marketing/base.html with OAuth buttons, password form,
  magic-link CTA, signup link
- templates/auth/check_email.html — adds action='magic_link' branch
- static/css/tailwind.config.js — adds templates/login.html to content
- static/css/marketing.css — rebuilt

Tests: 16/16 PASS via Windows manual driver.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

templates/auth/check_email.html

@@ -1,6 +1,6 @@
 {% extends 'marketing/base.html' %}
 
-{% block title %}{% if action == 'password_reset' %}Vérifiez votre courriel — DictIA{% else %}Confirmez votre courriel — DictIA{% endif %}{% endblock %}
+{% block title %}{% if action == 'password_reset' %}Vérifiez votre courriel — DictIA{% elif action == 'magic_link' %}Lien de connexion envoyé — DictIA{% else %}Confirmez votre courriel — DictIA{% endif %}{% endblock %}
 {% block description %}Un courriel vous a été envoyé. Suivez le lien pour activer votre compte DictIA.{% endblock %}
 
 {% block content %}
@@ -11,6 +11,7 @@
     <h1 id="check-email-title" class="text-2xl font-black text-brand-navy mb-2">
       {% if action == 'password_reset' %}Vérifiez votre courriel
       {% elif action == 'verification_required' %}Vérification requise
+      {% elif action == 'magic_link' %}Lien de connexion envoyé
       {% else %}Confirmez votre courriel{% endif %}
     </h1>
 
@@ -19,6 +20,8 @@
         Si un compte DictIA existe pour <strong>{{ email }}</strong>, vous recevrez un courriel avec un lien pour réinitialiser votre mot de passe. Le lien expire dans 1&#160;heure.
       {% elif action == 'verification_required' %}
         Vérifiez votre boîte de réception à <strong>{{ email }}</strong>. Si vous ne recevez rien, demandez un nouveau courriel ci-dessous.
+      {% elif action == 'magic_link' %}
+        Si un compte vérifié existe pour <strong>{{ email }}</strong>, vous recevrez un courriel avec un lien de connexion. Le lien expire dans {{ "15&nbsp;minutes" | safe }}.
       {% else %}
         Nous avons envoyé un lien de vérification à <strong>{{ email }}</strong>. Cliquez dessus pour activer votre compte. Le lien expire dans 24&#160;heures.
       {% endif %}

templates/auth/magic_link_request.html

@@ -0,0 +1,50 @@
+{% extends 'marketing/base.html' %}
+
+{% block title %}Lien de connexion DictIA{% endblock %}
+{% block description %}Recevez un lien magique pour vous connecter à DictIA sans mot de passe.{% endblock %}
+
+{% block content %}
+<section class="min-h-[calc(100vh-62px)] bg-brand-bg py-16 px-4" aria-labelledby="magic-title">
+  <div class="max-w-md mx-auto bg-white p-8 rounded-[18px] border border-brand-border shadow-cta">
+    <h1 id="magic-title" class="text-3xl font-black text-brand-navy mb-2">Lien de connexion</h1>
+    <p class="text-sm text-brand-navy/70 mb-6">{{ "Recevez un lien par courriel pour vous connecter sans mot de passe. Le lien expire dans 15&nbsp;minutes." | safe }}</p>
+
+    {% with messages = get_flashed_messages(with_categories=true) %}
+      {% if messages %}
+        {% for category, message in messages %}
+          <div role="alert" class="mb-3 p-3 rounded-lg text-sm
+            {% if category == 'danger' %}bg-red-50 text-red-900 border border-red-200
+            {% elif category == 'warning' %}bg-amber-50 text-amber-900 border border-amber-200
+            {% elif category == 'success' %}bg-green-50 text-green-900 border border-green-200
+            {% else %}bg-blue-50 text-blue-900 border border-blue-200{% endif %}">
+            {{ message }}
+          </div>
+        {% endfor %}
+      {% endif %}
+    {% endwith %}
+
+    <form method="POST" action="{{ url_for('auth.magic_link_request') }}" class="space-y-4" novalidate>
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
+
+      <div>
+        <label for="email" class="block text-sm font-medium text-brand-navy mb-1">Courriel <span class="text-red-600" aria-hidden="true">*</span></label>
+        <input type="email" id="email" name="email" autocomplete="email" required aria-required="true"
+               class="w-full px-3 py-2 border border-brand-border rounded-[0.5rem] text-brand-navy focus-visible:outline-2 focus-visible:outline-brand-b1 focus-visible:outline-offset-2"
+               placeholder="vous@cabinet.qc.ca">
+      </div>
+
+      <button type="submit" class="w-full grad-bg text-white font-semibold py-3 rounded-[0.75rem] shadow-cta hover:shadow-cta-hover transition focus-visible:outline-2 focus-visible:outline-brand-b1 focus-visible:outline-offset-2">
+        {{ "Recevoir le lien (expire dans 15&nbsp;minutes)" | safe }}
+      </button>
+    </form>
+
+    <p class="text-xs text-brand-navy/70 mt-4">
+      Pour des raisons de sécurité, le lien n'est envoyé qu'aux comptes dont le courriel est vérifié. Si vous ne recevez rien, vérifiez vos pourriels (spam).
+    </p>
+
+    <p class="text-center text-sm text-brand-navy/70 mt-6">
+      <a href="{{ url_for('auth.login') }}" class="grad-text font-semibold hover:underline">&larr; Retour à la connexion</a>
+    </p>
+  </div>
+</section>
+{% endblock %}

templates/auth/oauth_finish_signup.html

@@ -0,0 +1,80 @@
+{% extends 'marketing/base.html' %}
+
+{% block title %}Finaliser votre inscription DictIA{% endblock %}
+{% block description %}Finalisez votre inscription DictIA — consentements Loi 25 requis pour créer votre compte.{% endblock %}
+
+{% block content %}
+<section class="min-h-[calc(100vh-62px)] bg-brand-bg py-16 px-4" aria-labelledby="finish-title">
+  <div class="max-w-md mx-auto bg-white p-8 rounded-[18px] border border-brand-border shadow-cta">
+    <h1 id="finish-title" class="text-3xl font-black text-brand-navy mb-2">Finaliser votre inscription</h1>
+    <p class="text-sm text-brand-navy/70 mb-6">
+      Vous vous inscrivez via <strong>{{ provider_display or provider | capitalize }}</strong>. Avant de créer votre compte DictIA, nous devons obtenir vos consentements conformément à la {{ "Loi&nbsp;25" | safe }} du Québec.
+    </p>
+
+    {% with messages = get_flashed_messages(with_categories=true) %}
+      {% if messages %}
+        {% for category, message in messages %}
+          <div role="alert" class="mb-3 p-3 rounded-lg text-sm
+            {% if category == 'danger' %}bg-red-50 text-red-900 border border-red-200
+            {% elif category == 'warning' %}bg-amber-50 text-amber-900 border border-amber-200
+            {% elif category == 'success' %}bg-green-50 text-green-900 border border-green-200
+            {% else %}bg-blue-50 text-blue-900 border border-blue-200{% endif %}">
+            {{ message }}
+          </div>
+        {% endfor %}
+      {% endif %}
+    {% endwith %}
+
+    {# Pre-filled email from OAuth provider — display only, not editable #}
+    <div class="bg-brand-bg border border-brand-border rounded-[0.5rem] p-3 mb-6 text-sm">
+      <p class="text-brand-navy/70 mb-1">Compte fédéré :</p>
+      <p class="text-brand-navy font-semibold break-all">{{ userinfo.email }}</p>
+      {% if userinfo.name %}<p class="text-brand-navy/80 text-xs mt-1">{{ userinfo.name }}</p>{% endif %}
+    </div>
+
+    <form method="POST" action="{{ url_for('auth.oauth_finish_signup') }}" class="space-y-4" novalidate>
+      <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
+
+      {# 4 SEPARATE consent checkboxes — Loi 25 art. 14 (consent must be granular, free, informed) #}
+      <fieldset class="space-y-3 pt-2">
+        <legend class="text-xs font-semibold text-brand-navy uppercase tracking-wide mb-1">{{ "Consentements — Loi&nbsp;25" | safe }}</legend>
+
+        <label for="consent_cgu" class="flex items-start gap-2 text-sm text-brand-navy/90">
+          <input type="checkbox" id="consent_cgu" name="consent_cgu" value="y" required aria-required="true"
+                 class="mt-1 focus-visible:outline-2 focus-visible:outline-brand-b1 focus-visible:outline-offset-2">
+          <span>J'accepte les <a href="/legal/conditions" target="_blank" rel="noopener" class="grad-text underline">conditions d'utilisation</a>. <span class="text-red-600" aria-hidden="true">*</span></span>
+        </label>
+        {% if errors.consent_cgu %}<p class="text-xs text-red-900 mt-1" role="alert">{{ errors.consent_cgu }}</p>{% endif %}
+
+        <label for="consent_confidentialite" class="flex items-start gap-2 text-sm text-brand-navy/90">
+          <input type="checkbox" id="consent_confidentialite" name="consent_confidentialite" value="y" required aria-required="true"
+                 class="mt-1 focus-visible:outline-2 focus-visible:outline-brand-b1 focus-visible:outline-offset-2">
+          <span>J'accepte la <a href="/legal/confidentialite" target="_blank" rel="noopener" class="grad-text underline">politique de confidentialité</a>. <span class="text-red-600" aria-hidden="true">*</span></span>
+        </label>
+        {% if errors.consent_confidentialite %}<p class="text-xs text-red-900 mt-1" role="alert">{{ errors.consent_confidentialite }}</p>{% endif %}
+
+        <label for="consent_marketing" class="flex items-start gap-2 text-sm text-brand-navy/90">
+          <input type="checkbox" id="consent_marketing" name="consent_marketing" value="y"
+                 class="mt-1 focus-visible:outline-2 focus-visible:outline-brand-b1 focus-visible:outline-offset-2">
+          <span>J'accepte de recevoir des communications marketing (optionnel, désactivable à tout moment).</span>
+        </label>
+
+        <label for="consent_analytics" class="flex items-start gap-2 text-sm text-brand-navy/90">
+          <input type="checkbox" id="consent_analytics" name="consent_analytics" value="y"
+                 class="mt-1 focus-visible:outline-2 focus-visible:outline-brand-b1 focus-visible:outline-offset-2">
+          <span>J'accepte les statistiques d'usage anonymisées (optionnel, désactivable à tout moment).</span>
+        </label>
+      </fieldset>
+
+      <button type="submit" class="w-full grad-bg text-white font-semibold py-3 rounded-[0.75rem] shadow-cta hover:shadow-cta-hover transition focus-visible:outline-2 focus-visible:outline-brand-b1 focus-visible:outline-offset-2">
+        Créer mon compte DictIA
+      </button>
+    </form>
+
+    <p class="text-center text-sm text-brand-navy/70 mt-6">
+      Vous voulez utiliser un autre courriel&nbsp;?
+      <a href="{{ url_for('auth.signup') }}" class="grad-text font-semibold hover:underline">Inscription manuelle</a>
+    </p>
+  </div>
+</section>
+{% endblock %}