feat(05-10): OAuth fetch + Nextcloud edit fix + Edit on ERROR + text overflow

- client.js: add initiateOAuth() and getConnectionConfig() helpers
- SettingsCloudTab: replace window.location.href with initiateOAuth() + fetch/JWT
- SettingsCloudTab: add Edit button to ACTIVE and ERROR blocks for non-OAuth providers
- SettingsCloudTab: wrap ConfirmBlock in w-full overflow-hidden div
- CloudCredentialModal: add existing prop, edit-mode pre-population via /config endpoint
- CloudCredentialModal: add showAdvanced + customEndpoint for Nextcloud custom paths
- ConfirmBlock: add break-words class to message paragraph
- cloud.py: add GET /api/cloud/connections/{id}/config endpoint (non-secret fields)

frontend/src/api/client.js

@@ -437,3 +437,27 @@ export function updateDefaultStorage(backend) {
 export function getCloudFolders(provider, folderId) {
   return request(`/api/cloud/folders/${provider}/${folderId}`)
 }
+
+/**
+ * Initiate OAuth flow for Google Drive or OneDrive.
+ *
+ * Returns a JSON object {url: "<authorization_url>"} from the backend.
+ * The caller is responsible for navigating: window.location.href = data.url
+ *
+ * Using request() (not bare window.location.href) ensures the Bearer header
+ * is injected and the 401→refresh retry path fires if the token has expired.
+ * See plan 05-10 trust boundary: frontend→/api/cloud/oauth/initiate/{provider}.
+ */
+export function initiateOAuth(provider) {
+  return request(`/api/cloud/oauth/initiate/${provider}`)
+}
+
+/**
+ * Fetch non-secret configuration for a WebDAV/Nextcloud connection (edit flow).
+ *
+ * Returns {id, provider, server_url, connection_username} — never the password.
+ * Used to pre-populate the Edit modal when re-editing an existing connection.
+ */
+export function getConnectionConfig(connectionId) {
+  return request(`/api/cloud/connections/${connectionId}/config`)
+}