Auth login with device flow and encrypted credential storage

## Requirement

**REQ-CLI-023** — Auth login command with device flow and encrypted credential storage

## Summary

Implement `lattice auth login` using OAuth2 device flow with encrypted credential storage. Based on auth team recommendations in #6.

## Specification

- Device flow authentication via Hydra (OIDC discovery at `/.well-known/openid-configuration`)
- Credential storage: OS keyring (`keyring` crate) primary, AES-256-GCM encrypted file fallback (`~/.forkzero/credentials.enc`) for headless
- File permissions: directories `0o700`, credential files `0o600`
- Auto-migrate from file to keyring when keyring becomes available
- Atomic file writes (temp + rename) to prevent corruption

## Dependencies

- [forkzero/auth#10](https://github.com/forkzero/auth/issues/10) — device_code grant type on Hydra client
- [forkzero/lattice#5](https://github.com/forkzero/lattice/issues/5) — original auth login issue
- REQ-API-010 (Authentication and Multi-Tenancy)

## Lattice

- Source: SRC-AUTH-PATTERNS (#6)
- Depends on: REQ-API-010

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Auth login with device flow and encrypted credential storage #10

Requirement

Summary

Specification

Dependencies

Lattice

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Auth login with device flow and encrypted credential storage #10

Description

Requirement

Summary

Specification

Dependencies

Lattice

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions