feat: add M365 one-click login link

[namastex888]

Summary

Implements the first Workit-side slice of #45: generating a Bernardo-safe, one-click Microsoft 365 read-only login link and the broker primitives needed by a hosted callback service.

This does not claim a hosted login.workit.ai service exists yet. It creates the CLI/API contract the service can call/use next.

What changed

• Adds wk auth m365 login-link <email>
• Generates a broker start URL shaped like:
  • https://login.workit.ai/m365/start/<opaque-state>
• Generates the underlying Microsoft OAuth URL with:
  • PKCE S256
  • custom HTTPS callback URL
  • read-only scopes only: User.Read, Mail.Read, Calendars.Read
  • offline_access for refresh token
• Adds broker session primitives:
  • normalized expected email binding
  • PKCE verifier/challenge material
  • expiration timestamp
  • one-time in-memory session store
  • fail-closed authorized-email validation

Safety

• Requires explicit HTTPS broker base URL and callback URL.
• Refuses non-read-only broker sessions.
• Does not request Microsoft write scopes.
• Does not expose code_verifier in JSON output.
• Broker store consumes state once and rejects expired state.
• Email mismatch fails closed.

Verification

make lint
make deadcode
go test ./...
make coverage COVERAGE_MIN=70

Result:

0 issues.
deadcode baseline check: OK
Go test: 2408 passed in 20 packages
coverage total: 70.1% (min 70.0%)

Dogfood:

WK_M365_CLIENT_ID=00000000-0000-0000-0000-000000000000 \
  ./bin/wk --json auth m365 login-link bernardo@hapvida.com.br \
  --base-url https://login.workit.ai \
  --callback-url https://login.workit.ai/m365/callback

Confirmed:

• login_url is the one-click broker URL.
• OAuth host is login.microsoftonline.com.
• redirect_uri is the supplied HTTPS broker callback.
• code_challenge_method=S256.
• No Mail.Send or Calendars.ReadWrite scopes.

Refs #45: Workit now has the link/session contract; next PR can wire a hosted broker HTTP service/deployment.

[coderabbitai]

Warning

Review limit reached

@namastex888, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 48 minutes and 35 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 835d5476-c0d0-4fae-9f57-af68a77a59bd

📥 Commits

Reviewing files that changed from the base of the PR and between 30e16d9 and 2ba3d21.

📒 Files selected for processing (8)

• .deadcode-baseline.txt
• internal/cmd/auth.go
• internal/cmd/auth_m365_link.go
• internal/cmd/m365_login_link_test.go
• internal/msauth/broker.go
• internal/msauth/broker_store.go
• internal/msauth/broker_store_test.go
• internal/msauth/broker_test.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/m365-one-click-login

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces Microsoft 365 authentication helpers, specifically adding a command to generate a one-click, read-only login link (auth m365 login-link). It implements the backend broker session logic, including PKCE state generation, URL validation, and an in-memory session store (MemoryBrokerStore) to manage these sessions. Feedback was provided regarding the MemoryBrokerStore implementation, pointing out that a zero-value initialization could lead to a runtime panic due to a nil map. It is recommended to lazily initialize the sessions map inside the Save method under the lock to ensure resilience.

[gemini-code-assist]

The MemoryBrokerStore struct can be initialized as a zero-value (e.g., var store MemoryBrokerStore or store := &MemoryBrokerStore{}). If this happens, s.sessions will be nil, and calling Save will result in a runtime panic when writing to the map.

To make the store resilient to zero-value initialization, we should lazily initialize the sessions map inside the Save method under the lock.

func (s *MemoryBrokerStore) Save(_ context.Context, session BrokerSession) error {
	state := strings.TrimSpace(session.State)
	if state == "" {
		return ErrBrokerStateNotFound
	}

	s.mu.Lock()
	defer s.mu.Unlock()

	if s.sessions == nil {
		s.sessions = make(map[string]BrokerSession)
	}

	s.sessions[state] = session

	return nil
}

[namastex888]

Fixed in 2ba3d21: Save now lazily initializes the session map under the lock, and TestMemoryBrokerStoreZeroValueSaveInitializesSessionMap covers zero-value usage. Local gates and CI are green.