feat(timmy): Confluence and OneDrive content providers

[ericfitz]

Summary

Implement delegated provider infrastructure and Confluence, OneDrive/SharePoint, and Google Workspace delegated content providers, building on the infrastructure established in #232.

Depends on: #232 (content provider infrastructure + Google Drive)
Design spec: Infrastructure defined in 2026-04-08-content-providers-design.md

Scope

Delegated Provider Infrastructure (from #232 design spec Phase 4)

Build the per-user OAuth token infrastructure needed by delegated providers:

• user_content_tokens table — Per-user OAuth tokens with AES-256-GCM encryption (TMI_CONTENT_TOKEN_ENCRYPTION_KEY)
• Account linking endpoints — GET /me/content_tokens, POST /me/content_tokens/{provider_id}/authorize, DELETE /me/content_tokens/{provider_id}, GET /oauth2/content_callback
• Token lifecycle — Storage, refresh, revocation
• Startup validation — Refuse to start if delegated provider enabled without encryption key

Content Providers

• Confluence provider — Delegated OAuth, Confluence REST API page extraction
• OneDrive/SharePoint provider — Service account auth, Microsoft Graph API document extraction (DOCX, PPTX, Excel)
• Google Workspace delegated access — Per-user OAuth for Google Docs/Sheets/Slides (extends the service-account Google Drive source from feat(timmy): content provider infrastructure and Google Drive source #232)
• DOCX/PPTX extractors — New ContentExtractor implementations for Office document formats

Provider Details

Confluence (Delegated Provider)

• Implements ContentSource + AccessValidator interfaces
• Uses delegated provider infrastructure (per-user OAuth tokens)
• URL pattern: *.atlassian.net/wiki/*
• Scopes: read:confluence-content.all

OneDrive/SharePoint (Service Provider)

• Implements ContentSource + AccessValidator + AccessRequester interfaces
• Uses service provider pattern (operator credentials) from feat(timmy): content provider infrastructure and Google Drive source #232
• URL patterns: *.sharepoint.com/*, onedrive.live.com/*
• Auth: Microsoft Graph API with application permissions

Google Workspace Delegated Access

• Extends Google Drive source with per-user OAuth option
• Enables access to documents not shared with the service account

Acceptance Criteria

• Delegated provider infrastructure works end-to-end (token storage, encryption, account linking, refresh)
• Each provider implements the ContentSource interface from feat(timmy): content provider infrastructure and Google Drive source #232
• All providers share SSRF protection from URIValidator
• Confluence uses delegated token infrastructure
• OneDrive uses service provider pattern from feat(timmy): content provider infrastructure and Google Drive source #232
• DOCX and PPTX content extractors added to extractor registry
• Unit tests for each provider with mocked HTTP responses
• Integration tests for OAuth token flows
• OpenAPI spec updated for account linking endpoints and any provider-specific endpoints

Design Note

Each provider will need its own design spec before implementation. The infrastructure from #232 defines the interfaces and patterns; this issue covers the delegated infrastructure and provider-specific work.