v3/docs/adr/ADR-306-cognitum-authentication-account-linking.md
ADRs 302–304 all hand off to ruflo auth login, which does not exist. The funnel cannot ship on an unspecified identity system: token handling, revocation, and storage are security-critical, and every consent decision in ADR-302 ultimately anchors to an account. This ADR specifies the complete identity lifecycle.
| Environment | Flow |
|---|---|
| Interactive desktop (browser reachable) | OAuth 2.0 Authorization Code + PKCE, loopback redirect |
| Headless / SSH / no browser | Device authorization flow (RFC 8628): CLI shows user code + verification URL |
| CI / non-TTY | auth login refuses interactively; service credentials only via explicit --token-stdin for enterprise automation |
| Enterprise SSO | OIDC federation brokered by Cognitum (IdP-initiated flows land on the same token contract); detailed in a follow-up amendment before enterprise GA |
claude-flow.config.json, never in .env.~/.ruflo/auth.json, 0600) stores only: account ID, granted scopes, access-token expiry, keychain entry reference, profile name. No token material.account.create ← consent domain: account
proxy.use ← consent domain: proxy-install
cloud.route ← consent domain: cloud-routing
telemetry.write ← consent domain: telemetry
hosted.memory.use ← consent domain: hosted-memory (new; same receipt rules)
auth login requests account.create only. Each further scope is requested at the moment its capability is enabled, gated on the corresponding ADR-302 consent receipt.cloud.route or telemetry.write. A token bearing a scope without a matching local consent receipt is a level-0 consent violation (ADR-305 gate hierarchy).auth login offers create-or-link on the Cognitum side; the CLI only ever receives tokens, never passwords.ruflo auth logout calls POST /v1/auth/revoke (ADR-308), removes the keychain entry, clears auth.json, and revokes the account consent receipt. Server-side revocation (dashboard) takes effect within one access-token lifetime.ruflo auth login --profile work; one default profile; ruflo auth status lists all with scopes and expiry.ruflo auth login|logout|status [--profile <name>].@claude-flow/security owns token handling primitives (keychain adapters, PKCE verifier generation); no other package touches token material.ruflo doctor gains an auth component (keychain availability, token expiry, scope-vs-receipt consistency check).