feat: youtube oauth via pkce loopback

[ImpulseB23]

Adds YouTube OAuth (Authorization Code + PKCE over loopback IP redirect, RFC 8252 §7.3) to match the existing Twitch sign-in stack.

ADR 39 covers the full rationale (DCG ruled out — Google restricts it to "limited-input devices" and YouTube scopes aren't on the allowed-scopes list; implicit / custom URL schemes / embedded WebView all rejected).

What's here:

• shared oauth_pkce Rust module (PKCE S256, CSRF state, loopback TcpListener on 127.0.0.1:0, code-for-token exchange via hand-rolled form encoder since reqwest's .form() lives behind a feature we don't enable)
• youtube_auth module mirroring the twitch_auth shape: tokens, keychain storage (prismoid.youtube / active), manager with proactive 5-min refresh (ADR 29), re-auth on invalid_grant (ADR 31), Tauri commands
• 5 Tauri commands (youtube_auth_status, youtube_start_login, youtube_complete_login, youtube_cancel_login, youtube_logout)
• frontend youtubeAuth.ts client + YouTubeSignIn header component (Connect / Connected as / Disconnect)
• ADR 39 in docs/adr.md

Sidecar wiring for YouTube live-chat ingest is out of scope here; that's for a follow-up PR alongside the Kick OAuth (which will reuse the same oauth_pkce module).

Two things to swap before the YouTube button does anything real:

• GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET in youtube_auth/mod.rs (register a Desktop app credential at console.cloud.google.com)

Tests: 260 Rust lib tests pass (42 new in youtube_auth, 31 new in oauth_pkce), 84 vitest tests pass (9 new for youtubeAuth.ts). Clippy clean, prettier clean, eslint clean, tsc clean.

[github-actions]

This PR has 2875 lines changed. Consider splitting it into smaller PRs for easier review.

[codecov]

Codecov Report

❌ Patch coverage is 86.78700% with 183 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
apps/desktop/src-tauri/src/youtube_auth/manager.rs	74.11%	110 Missing ⚠️
...pps/desktop/src-tauri/src/youtube_auth/commands.rs	0.00%	27 Missing ⚠️
apps/desktop/src-tauri/src/youtube_auth/storage.rs	72.36%	21 Missing ⚠️
...s/desktop/src-tauri/src/youtube_auth/auth_state.rs	94.27%	13 Missing ⚠️
apps/desktop/src-tauri/src/oauth_pkce/loopback.rs	96.89%	8 Missing ⚠️
apps/desktop/src-tauri/src/youtube_auth/errors.rs	93.61%	3 Missing ⚠️
apps/desktop/src-tauri/src/oauth_pkce/exchange.rs	99.49%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

[Copilot]

Pull request overview

Adds a YouTube OAuth sign-in stack to the Tauri (Rust) desktop app using Authorization Code + PKCE with an RFC 8252 loopback redirect, plus a small frontend UI to initiate/complete the flow and persist tokens in the OS keychain.

Changes:

• Introduces shared Rust oauth_pkce primitives (PKCE/state generation, loopback listener, token exchange helpers).
• Adds youtube_auth Rust module (tokens + keychain storage + manager + Tauri commands) and wires it into Tauri setup.
• Adds frontend YouTube auth client, tests, and a header YouTubeSignIn component.

Reviewed changes

Copilot reviewed 20 out of 21 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
docs/adr.md	Adds ADR 39 documenting YouTube OAuth via PKCE loopback and rationale.
apps/desktop/src/lib/youtubeAuth.ts	Frontend Tauri command client + safe opener for Google auth URL.
apps/desktop/src/lib/youtubeAuth.test.ts	Vitest coverage for YouTube auth command invokes + URL allowlist behavior.
apps/desktop/src/components/YouTubeSignIn.tsx	Header UI for Connect/Waiting/Connected + Disconnect states.
apps/desktop/src/components/Header.tsx	Renders the new YouTubeSignIn component in the header.
apps/desktop/src-tauri/src/youtube_auth/tokens.rs	Persistable YouTube token DTO + refresh threshold logic + tests.
apps/desktop/src-tauri/src/youtube_auth/storage.rs	Keychain + in-memory token store implementations + tests.
apps/desktop/src-tauri/src/youtube_auth/mod.rs	Public surface/constants for YouTube OAuth endpoints/scopes.
apps/desktop/src-tauri/src/youtube_auth/manager.rs	Core YouTube PKCE flow (start/complete/refresh) + channel identity fetch.
apps/desktop/src-tauri/src/youtube_auth/errors.rs	YouTube auth error taxonomy + mapping from PKCE primitives.
apps/desktop/src-tauri/src/youtube_auth/commands.rs	Tauri command wrappers for status/start/complete/cancel/logout.
apps/desktop/src-tauri/src/youtube_auth/auth_state.rs	Managed auth state shared by commands (pending flow + notify).
apps/desktop/src-tauri/src/oauth_pkce/success_page.html	Static “signed in” HTML page served by the loopback listener.
apps/desktop/src-tauri/src/oauth_pkce/pkce.rs	PKCE verifier/challenge + CSRF state generation.
apps/desktop/src-tauri/src/oauth_pkce/mod.rs	Module exports for shared PKCE/loopback/exchange building blocks.
apps/desktop/src-tauri/src/oauth_pkce/loopback.rs	One-shot loopback HTTP redirect listener + query parsing.
apps/desktop/src-tauri/src/oauth_pkce/exchange.rs	Form-encoded token exchange + refresh helpers + tests.
apps/desktop/src-tauri/src/oauth_pkce/errors.rs	Error types for PKCE primitives.
apps/desktop/src-tauri/src/lib.rs	Registers new commands + instantiates/manages YouTube auth state.
apps/desktop/src-tauri/Cargo.toml	Adds deps needed for PKCE + URL building and enables extra tokio features.
apps/desktop/src-tauri/Cargo.lock	Locks newly added Rust dependencies.

[github-actions]

This PR has 3083 lines changed. Consider splitting it into smaller PRs for easier review.