fix(05-12): resolve 3 critical code review findings

CR-01: add `except HTTPException: raise` before broad except in
stream_document_content — prevents 503 (reconnect prompt) from being
swallowed and replaced with misleading 502

CR-02: move pre-flight credential checks BEFORE Redis setex in
oauth_initiate — no orphan state tokens written for unconfigured providers;
also adds onedrive_tenant_id to OneDrive pre-flight condition (WR-02)

CR-03: add CLOUD_CREDS_KEY to celery-worker environment in docker-compose.yml
— worker cannot decrypt cloud credentials without this key; every cloud
document task was silently failing at runtime

WR-03: assert Redis store empty after 400 pre-flight responses in both
new tests — confirms no token leak on misconfigured-provider requests

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/api/cloud.py

@@ -339,23 +339,28 @@ async def oauth_initiate(
             detail=f"Unsupported OAuth provider: {provider}. Valid providers: {sorted(VALID_OAUTH_PROVIDERS)}",
         )
 
-    state_token = secrets.token_urlsafe(32)
-    redis_client = request.app.state.redis
-    await redis_client.setex(f"oauth_state:{state_token}", 1800, str(current_user.id))
-
-    redirect_uri = f"{settings.backend_url}/api/cloud/oauth/callback/{provider}"
-
+    # Pre-flight: validate credentials are configured before allocating Redis state
     if provider == "google_drive" and (not settings.google_client_id or not settings.google_client_secret):
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST,
             detail="Google Drive OAuth is not configured on this server. Set GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET in your environment.",
         )
-    if provider == "onedrive" and (not settings.onedrive_client_id or not settings.onedrive_client_secret):
+    if provider == "onedrive" and (
+        not settings.onedrive_client_id
+        or not settings.onedrive_client_secret
+        or not settings.onedrive_tenant_id
+    ):
         raise HTTPException(
             status_code=status.HTTP_400_BAD_REQUEST,
             detail="OneDrive OAuth is not configured on this server. Set ONEDRIVE_CLIENT_ID, ONEDRIVE_CLIENT_SECRET, and ONEDRIVE_TENANT_ID in your environment.",
         )
 
+    state_token = secrets.token_urlsafe(32)
+    redis_client = request.app.state.redis
+    await redis_client.setex(f"oauth_state:{state_token}", 1800, str(current_user.id))
+
+    redirect_uri = f"{settings.backend_url}/api/cloud/oauth/callback/{provider}"
+
     if provider == "google_drive":
         from google_auth_oauthlib.flow import Flow  # lazy import
 

backend/api/documents.py

@@ -756,6 +756,8 @@ async def stream_document_content(
             status_code=503,
             detail="Cloud connection requires re-authentication. Please reconnect in Settings.",
         ) from exc
+    except HTTPException:
+        raise
     except Exception as exc:
         raise HTTPException(
             status_code=502,