test(05-01): create test_cloud.py with 15 Phase 5 xfail stubs

All 15 stubs decorated with @pytest.mark.xfail(strict=False) covering
CLOUD-01..07, D-17 SSRF (test_ssrf_validation parametrized + test_ssrf_link_local),
and SEC-08/IDOR (test_admin_cannot_see_credentials, test_cross_user_idor).
pytest tests/test_cloud.py exits 0 with 19 xfailed (19 = 15 stubs + 4 parametrize variants).

backend/tests/test_cloud.py

@@ -0,0 +1,138 @@
+"""
+Phase 5 — Cloud Storage Backends test stubs.
+
+All tests are decorated with @pytest.mark.xfail(strict=False, reason="not implemented yet").
+These stubs serve as the Wave 0 Nyquist scaffold — they must xfail (not fail) until
+the corresponding implementation plan turns each one green.
+
+Requirements covered: CLOUD-01 through CLOUD-07, D-17 (SSRF), SEC-08 (IDOR/admin block).
+"""
+from __future__ import annotations
+
+import pytest
+
+pytestmark = pytest.mark.asyncio
+
+
+# ── CLOUD-01: OAuth connect / WebDAV connect ──────────────────────────────────
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_connect_google_drive():
+    """POST /api/cloud/google/connect returns OAuth redirect URL."""
+    pytest.xfail("not implemented yet")
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_oauth_callback_valid_state():
+    """GET /api/cloud/google/callback with valid state stores credentials and redirects."""
+    pytest.xfail("not implemented yet")
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_oauth_callback_invalid_state():
+    """GET /api/cloud/google/callback with invalid/missing state returns 400."""
+    pytest.xfail("not implemented yet")
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_webdav_connect_validates():
+    """POST /api/cloud/webdav/connect validates connectivity before saving credentials."""
+    pytest.xfail("not implemented yet")
+
+
+# ── CLOUD-02: Credential encryption round-trip ────────────────────────────────
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_credential_round_trip():
+    """encrypt_credentials(decrypt_credentials(creds)) == creds (HKDF AES-256-GCM)."""
+    pytest.xfail("not implemented yet")
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_credentials_enc_not_exposed():
+    """GET /api/cloud/connections response body never contains credentials_enc field."""
+    pytest.xfail("not implemented yet")
+
+
+# ── CLOUD-03: Cloud upload path ───────────────────────────────────────────────
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_cloud_upload_no_presigned():
+    """Cloud provider uploads go through the API layer, not presigned URLs."""
+    pytest.xfail("not implemented yet")
+
+
+# ── CLOUD-04: Connection status display ──────────────────────────────────────
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_connection_status_display():
+    """GET /api/cloud/connections returns status field for each connection."""
+    pytest.xfail("not implemented yet")
+
+
+# ── CLOUD-05: Token expiry / invalid_grant handling ──────────────────────────
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_invalid_grant_sets_requires_reauth():
+    """invalid_grant error from provider sets connection status to REQUIRES_REAUTH."""
+    pytest.xfail("not implemented yet")
+
+
+# ── CLOUD-06: Disconnect / credential deletion ────────────────────────────────
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_disconnect_deletes_credentials():
+    """DELETE /api/cloud/connections/{id} permanently removes credentials_enc from DB."""
+    pytest.xfail("not implemented yet")
+
+
+# ── CLOUD-07: StorageBackend factory ─────────────────────────────────────────
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_factory_returns_correct_backend():
+    """get_storage_backend(provider) returns the correct StorageBackend subclass."""
+    pytest.xfail("not implemented yet")
+
+
+# ── D-17 SSRF validation ──────────────────────────────────────────────────────
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+@pytest.mark.parametrize("url", [
+    "http://192.168.1.1/webdav",   # RFC-1918
+    "http://10.0.0.1/dav",         # RFC-1918
+    "http://127.0.0.1/dav",        # loopback
+    "http://[::1]/dav",            # IPv6 loopback
+    "https://cloud.example.com/",  # valid — should not be blocked
+])
+async def test_ssrf_validation(url):
+    """WebDAV URL validator blocks RFC-1918, loopback, and link-local addresses."""
+    pytest.xfail("not implemented yet")
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_ssrf_link_local():
+    """WebDAV URL validator blocks link-local addresses (169.254.x.x)."""
+    pytest.xfail("not implemented yet")
+
+
+# ── SEC-08 / IDOR: Admin block and cross-user access ─────────────────────────
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_admin_cannot_see_credentials():
+    """Admin listing cloud connections never returns credentials_enc field."""
+    pytest.xfail("not implemented yet")
+
+
+@pytest.mark.xfail(strict=False, reason="not implemented yet")
+async def test_cross_user_idor():
+    """GET /api/cloud/connections/{id} owned by another user returns 404."""
+    pytest.xfail("not implemented yet")