Subscription Auth Foundation (OAuth, Token Lifecycle, Config)

[davidste]

Summary

Build the shared subscription auth foundation for Loomkin:

• OAuth/PKCE lifecycle
• secure token lifecycle (store/refresh/revoke)
• config schema for subscription auth
• UI/command entry points for connect/disconnect

This issue does not include provider-specific request adapters. It establishes the core plumbing they will reuse.

Why This Issue Exists

• Loomkin currently has no subscription auth runtime path.
• Provider-specific adapter work should not duplicate auth, storage, and refresh logic.
• A shared foundation reduces risk and keeps provider issues focused.

Scope

OAuth + token lifecycle

• Add shared OAuth abstraction for:
  • authorization URL generation
  • state + nonce validation
  • PKCE verifier/challenge
  • callback exchange
• Add token lifecycle support:
  • persist provider/account token set
  • refresh before expiry
  • explicit revoke/disconnect path
  • failure backoff + retry policy
  • graceful reconnect UX when refresh fails

Config

• Extend .loomkin.toml parsing for subscription auth sections.
• Support env interpolation for secrets/tokens.
• Validate config at load time and return actionable errors.

UI + command integration

• Add connect/disconnect flows in existing Loomkin UX.
• Add status surface showing auth state per provider/account.
• Ensure auth errors are user-safe (no token leak in UI/logs).

Security

• Token redaction in logs, telemetry payloads, and activity surfaces.
• CSRF/state protection on callback endpoints.
• Local persistence strategy must be hardened (file permissions, keychain, or encrypted store).

Out of Scope

• Anthropic-specific identity/header logic.
• Codex/Gemini provider transport adapters.
• Coding-plan API-key provider integrations.

Acceptance Criteria

• Shared OAuth/PKCE flow works end-to-end in Loomkin.
• Token storage/refresh/revoke lifecycle is implemented and test-covered.
• .loomkin.toml auth sections are supported and validated.
• Connect/disconnect and auth-status UX is available.
• Sensitive tokens/identifiers are redacted from logs/events/UI.
• Integration tests cover success, expired token refresh, revoked token, and invalid callback state.

Implementation Touchpoints

• lib/loomkin/config.ex
• lib/loomkin/application.ex
• lib/loomkin_web/router.ex
• lib/loomkin_web/live/workspace_live.ex
• lib/loomkin_web/live/model_selector_component.ex
• lib/loomkin/session/manager.ex

Related

• Umbrella: #103 — Subscription-Backed Model Support (Umbrella)
• Cost & Token Analytics Dashboard #68 (Cost & Token Analytics Dashboard) — auth state impacts cost interpretation and reporting.