feat: add OneDrive and Google Drive backends via OAuth2 device code flow

Adds two new storage backends that target the substantial free tiers of
consumer cloud accounts (1 TB on OneDrive with O365, 15 GB on personal
Google Drive), making Enigma viable for personal backups without paying
for object storage.

Both providers authenticate via OAuth2 device code flow — the user enters
an 8-character code on microsoft.com/devicelogin or google.com/device once,
and refresh tokens stored AES-256-GCM-encrypted on disk handle every
subsequent operation transparently.

New module: enigma-storage/src/oauth/
  - device_flow.rs: hand-rolled OAuth2 device code + refresh implementation
    that handles both Microsoft Graph and Google identity endpoints
  - token_store.rs: encrypted token persistence at <config_dir>/oauth_tokens.enc
    (Argon2id + HKDF-SHA256(info="enigma-oauth-v1") + AES-256-GCM, same
    passphrase as the keystore)
  - retry.rs: with_retry helper honoring HTTP 429 + Retry-After

New backends:
  - onedrive.rs: Microsoft Graph /me/drive/special/approot endpoints with
    Files.ReadWrite.AppFolder scope (isolated to /Apps/Enigma/). Inline
    PUT for chunks ≤ 4 MiB; upload session for larger chunks (10 MiB
    segments) since FastCDC can produce ~8 MiB.
  - gdrive.rs: Drive v3 with drive.file scope (app sees only its own
    files). Flat folder strategy + in-memory chunk-key → file-id cache
    bulk-populated on first use.

New CLI subcommand:
  - enigma auth login {onedrive,gdrive} --client-id <id> [--client-secret <s>]
  - enigma auth status
  - enigma auth logout <provider>

Config: existing [[providers]] schema; type = "onedrive" or "gdrive";
bucket field unused (OneDrive uses approot, Drive uses fixed
"enigma-chunks" folder).

Wiring:
  - ProviderType::Onedrive, ProviderType::Gdrive added to enigma-core
  - enigma-cli/commands/providers.rs: lazy-open the encrypted token store
    only when an OAuth provider is configured; bubble a clear error if no
    passphrase is available
  - backup / restore / verify / gc updated to thread base_dir + passphrase
    through init_providers

Tests:
  - Unit tests for retry backoff, retry-after parsing, token store
    roundtrip + wrong-passphrase rejection, OneDrive URL path encoding,
    Drive name flattening, multipart boundary uniqueness

Out of scope (follow-ups):
  - enigma-proxy dispatch (S3 gateway) for OneDrive/GDrive — currently
    bails through the existing `_ => bail` arm
  - README translations (13 other languages)
  - Multi-account-per-provider support

Note: this commit was not validated locally because the dev environment
lacks build-essential / gcc. CI will catch any issues; follow-up commits
will fix compile errors.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: pszymkowiak-gg

Cargo.lock

@@ -77,6 +77,12 @@ azure_storage = "0.20"
 azure_storage_blobs = "0.20"
 google-cloud-storage = "0.22"
 
+# HTTP (for OAuth + REST backends like OneDrive / Google Drive)
+reqwest = { version = "0.12", default-features = false, features = ["json", "stream", "rustls-tls"] }
+url = "2"
+urlencoding = "2"
+webbrowser = "1"
+
 # Vault SDKs
 azure_security_keyvault_secrets = "0.10"
 azure_identity = "0.31"

Cargo.toml

@@ -290,6 +290,88 @@ addr = "enigma-2.enigma:9000"
 | S3-compatible | `S3Compatible`, `minio`, `rustfs`, `garage` | Requires `endpoint_url`, `path_style = true` |
 | Azure Blob Storage | `Azure` | `bucket` = container name |
 | Google Cloud Storage | `Gcs` | Uses Application Default Credentials |
+| Microsoft OneDrive | `Onedrive` | OAuth2 device code — see [OneDrive setup](#onedrive-setup) |
+| Google Drive | `Gdrive` | OAuth2 device code — see [Google Drive setup](#google-drive-setup) |
+
+### OneDrive setup
+
+OneDrive uses OAuth2 (device code flow). The app stores chunks in a dedicated, app-isolated folder at `/Apps/Enigma/` — it has no access to the rest of your OneDrive.
+
+**One-time app registration (~5 minutes):**
+
+1. Sign in to [Microsoft Entra ID admin center](https://portal.azure.com/).
+2. **App registrations → New registration**.
+3. Name: `enigma-backup` (anything). Supported account types: **"Accounts in any organizational directory and personal Microsoft accounts"**.
+4. Leave "Redirect URI" blank — device code flow does not use a redirect.
+5. Click **Register**. Copy the **Application (client) ID** that appears.
+6. In the new app: **Authentication** tab → "Allow public client flows" → **Yes** → Save.
+7. **API permissions** → **Add a permission** → Microsoft Graph → **Delegated permissions** →
+   - `Files.ReadWrite.AppFolder`
+   - `offline_access`
+
+**One-time login (~30 seconds):**
+
+```bash
+enigma auth login onedrive --client-id <YOUR_CLIENT_ID>
+```
+
+The CLI prints a URL and an 8-character code. Open the URL in any browser, paste the code, sign in to your Microsoft account, click **Yes** to grant access. Tokens are then saved AES-256-GCM-encrypted in `<config_dir>/oauth_tokens.enc` (using your Enigma passphrase) and Enigma can use them indefinitely (refresh tokens are valid for ~90 days of inactivity).
+
+**Use it:**
+
+```toml
+# Add to enigma.toml
+[[providers]]
+name = "my-onedrive"
+type = "onedrive"
+bucket = ""           # unused for OneDrive
+weight = 1
+```
+
+Then `enigma backup ./photos` and chunks go to `https://onedrive.live.com/?id=Apps/Enigma`.
+
+### Google Drive setup
+
+Google Drive also uses OAuth2 (device code flow), scope `drive.file` — the app can only see files it creates. Chunks live in a single folder named `enigma-chunks` at the user's Drive root.
+
+**One-time app registration (~5 minutes):**
+
+1. Open [Google Cloud Console](https://console.cloud.google.com/), create a new project (e.g. `enigma-backup`).
+2. **APIs & Services → Library** → enable **Google Drive API**.
+3. **APIs & Services → OAuth consent screen** → User Type: **External** → fill the minimum fields → Save (Test users: add your own Gmail).
+4. **APIs & Services → Credentials → Create credentials → OAuth client ID** → Application type: **TVs and Limited Input devices**.
+5. Copy the **Client ID** and **Client secret**. (Google requires a client secret in device flow even for "public" desktop clients.)
+
+**One-time login (~30 seconds):**
+
+```bash
+enigma auth login gdrive --client-id <ID> --client-secret <SECRET>
+```
+
+Same UX as OneDrive — open the URL on any device, enter the code, grant access. Tokens saved encrypted; valid as long as the refresh token works (~6 months of inactivity for Google).
+
+**Use it:**
+
+```toml
+[[providers]]
+name = "my-gdrive"
+type = "gdrive"
+bucket = ""           # unused for Google Drive
+weight = 1
+```
+
+### OAuth token management
+
+| Command | What it does |
+|---------|--------------|
+| `enigma auth login onedrive --client-id <id>` | Run the device code flow for OneDrive |
+| `enigma auth login gdrive --client-id <id> --client-secret <s>` | Run the device code flow for Google Drive |
+| `enigma auth status` | Show which providers have stored tokens, expiry, scope |
+| `enigma auth logout <provider>` | Delete stored tokens for a provider |
+
+The encrypted token store lives at `<config_dir>/oauth_tokens.enc`. It is unlocked with your Enigma passphrase — same one as the keystore.
+
+
 
 ### Environment Variables
 

README.md

@@ -27,12 +27,15 @@ glob = "0.3"
 rpassword = "5"
 hex.workspace = true
 futures.workspace = true
+webbrowser = { workspace = true, optional = true }
 
 # OpenSSL (vendored for cross-compilation)
 openssl = { workspace = true, optional = true }
 
 [features]
-default = []
+default = ["browser-open"]
+# Try to open the user's default browser during `enigma auth login` device flow.
+browser-open = ["dep:webbrowser"]
 vendored-openssl = ["dep:openssl"]
 azure-keyvault = ["enigma-keys/azure-keyvault"]
 gcp-secretmanager = ["enigma-keys/gcp-secretmanager"]