feat(05-01): add Phase 5 cloud storage packages and config settings

- Add 6 new packages to requirements.txt: cryptography>=41.0.0,
  google-auth-oauthlib>=1.3.1, google-api-python-client>=2.196.0,
  msal>=1.36.0, webdavclient3>=3.14.7, cachetools>=5.3.0
- Add 8 new Settings fields to config.py: cloud_creds_key,
  google_client_id/secret, onedrive_client_id/secret/tenant_id,
  backend_url (frontend_url already present from Phase 2)
- Append cloud storage section to .env.example

.env.example

@@ -49,3 +49,23 @@ SMTP_FROM=noreply@docuvault.local
 # Comma-separated list of allowed origins. Default: http://localhost:5173
 # Example for production: https://app.docuvault.example.com
 CORS_ORIGINS=http://localhost:5173
+
+# ── Cloud Storage Backends (Phase 5) ─────────────────────────────────────────
+# Master key for HKDF per-user cloud credential encryption.
+# Must be at least 32 bytes. Generate with:
+#   python3 -c "import secrets; print(secrets.token_urlsafe(32))"
+CLOUD_CREDS_KEY=CHANGEME-32-bytes-padded!!
+
+# Google Drive OAuth 2.0 — create credentials at https://console.cloud.google.com/
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
+# Microsoft OneDrive OAuth 2.0 — create app at https://portal.azure.com/
+ONEDRIVE_CLIENT_ID=
+ONEDRIVE_CLIENT_SECRET=
+# "common" for personal + org accounts; or your tenant UUID for org-only
+ONEDRIVE_TENANT_ID=common
+
+# Backend and frontend URLs — used to construct OAuth callback/redirect URLs
+BACKEND_URL=http://localhost:8000
+FRONTEND_URL=http://localhost:5173

backend/config.py

@@ -56,5 +56,19 @@ class Settings(BaseSettings):
     default_ai_provider: str = "ollama"  # DEFAULT_AI_PROVIDER env var
     default_ai_model: str = "llama3.2"   # DEFAULT_AI_MODEL env var
 
+    # Cloud Storage (Phase 5)
+    # master key for HKDF per-user credential encryption — must be overridden in production
+    cloud_creds_key: str = "CHANGEME-32-bytes-padded!!"
+    google_client_id: str = ""
+    google_client_secret: str = ""
+    onedrive_client_id: str = ""
+    onedrive_client_secret: str = ""
+    # "common" works for both personal and org accounts
+    onedrive_tenant_id: str = "common"
+    # used to construct OAuth callback URLs (e.g. {backend_url}/api/cloud/google/callback)
+    backend_url: str = "http://localhost:8000"
+    # used to construct OAuth success/error redirect to Vue app (per Phase 5 B4 fix)
+    # Note: frontend_url already declared above for Phase 2 (password reset links) — shared field
+
 
 settings = Settings()

backend/requirements.txt

@@ -24,3 +24,11 @@ PyJWT>=2.8.0
 pwdlib[argon2]>=0.2.1
 pyotp>=2.9.0
 slowapi>=0.1.9
+
+# Cloud Storage Backends (Phase 5)
+cryptography>=41.0.0
+google-auth-oauthlib>=1.3.1
+google-api-python-client>=2.196.0
+msal>=1.36.0
+webdavclient3>=3.14.7
+cachetools>=5.3.0