feat(token): add stored token support with resolve_token and token_source

Introduce a centralized token resolution system that supports both
environment variables and config-file-stored tokens with clear priority
(env var wins). This enables cron-based sync which runs in minimal
shell environments without env vars.

Core changes:
- GitLabConfig gains optional `token` field and `resolve_token()` method
  that checks env var first, then config file, returning trimmed values
- `token_source()` returns human-readable provenance ("environment variable"
  or "config file") for diagnostics
- `ensure_config_permissions()` enforces 0600 on config files containing
  tokens (Unix only, no-op on other platforms)

New CLI commands:
- `lore token set [--token VALUE]` — validates against GitLab API, stores
  in config, enforces file permissions. Supports flag, stdin pipe, or
  interactive entry.
- `lore token show [--unmask]` — displays masked token with source label

Consumers updated to use resolve_token():
- auth_test: removes manual env var lookup
- doctor: shows token source in health check output
- ingest: uses centralized resolution

Includes 10 unit tests for resolve/source logic and 2 for mask_token.

src/cli/commands/auth_test.rs

@@ -1,5 +1,5 @@
 use crate::core::config::Config;
-use crate::core::error::{LoreError, Result};
+use crate::core::error::Result;
 use crate::gitlab::GitLabClient;
 
 pub struct AuthTestResult {
@@ -11,17 +11,7 @@ pub struct AuthTestResult {
 pub async fn run_auth_test(config_path: Option<&str>) -> Result<AuthTestResult> {
     let config = Config::load(config_path)?;
 
-    let token = std::env::var(&config.gitlab.token_env_var)
-        .map(|t| t.trim().to_string())
-        .map_err(|_| LoreError::TokenNotSet {
-            env_var: config.gitlab.token_env_var.clone(),
-        })?;
-
-    if token.is_empty() {
-        return Err(LoreError::TokenNotSet {
-            env_var: config.gitlab.token_env_var.clone(),
-        });
-    }
+    let token = config.gitlab.resolve_token()?;
 
     let client = GitLabClient::new(&config.gitlab.base_url, &token, None);
 

src/cli/commands/doctor.rs

@@ -240,14 +240,14 @@ async fn check_gitlab(config: Option<&Config>) -> GitLabCheck {
         };
     };
 
-    let token = match std::env::var(&config.gitlab.token_env_var) {
-        Ok(t) if !t.trim().is_empty() => t.trim().to_string(),
-        _ => {
+    let token = match config.gitlab.resolve_token() {
+        Ok(t) => t,
+        Err(_) => {
             return GitLabCheck {
                 result: CheckResult {
                     status: CheckStatus::Error,
                     message: Some(format!(
-                        "{} not set in environment",
+                        "Token not set. Run 'lore token set' or export {}.",
                         config.gitlab.token_env_var
                     )),
                 },
@@ -257,6 +257,8 @@ async fn check_gitlab(config: Option<&Config>) -> GitLabCheck {
         }
     };
 
+    let source = config.gitlab.token_source().unwrap_or("unknown");
+
     let client = GitLabClient::new(&config.gitlab.base_url, &token, None);
 
     match client.get_current_user().await {
@@ -264,7 +266,7 @@ async fn check_gitlab(config: Option<&Config>) -> GitLabCheck {
             result: CheckResult {
                 status: CheckStatus::Ok,
                 message: Some(format!(
-                    "{} (authenticated as @{})",
+                    "{} (authenticated as @{}, token from {source})",
                     config.gitlab.base_url, user.username
                 )),
             },

src/cli/commands/ingest.rs

@@ -293,10 +293,7 @@ async fn run_ingest_inner(
     );
     lock.acquire(force)?;
 
-    let token =
-        std::env::var(&config.gitlab.token_env_var).map_err(|_| LoreError::TokenNotSet {
-            env_var: config.gitlab.token_env_var.clone(),
-        })?;
+    let token = config.gitlab.resolve_token()?;
 
     let client = GitLabClient::new(
         &config.gitlab.base_url,

src/cli/commands/init.rs

@@ -1,9 +1,10 @@
 use std::fs;
+use std::io::{IsTerminal, Read};
 
-use crate::core::config::{MinimalConfig, MinimalGitLabConfig, ProjectConfig};
+use crate::core::config::{Config, MinimalConfig, MinimalGitLabConfig, ProjectConfig};
 use crate::core::db::{create_connection, run_migrations};
 use crate::core::error::{LoreError, Result};
-use crate::core::paths::{get_config_path, get_data_dir};
+use crate::core::paths::{ensure_config_permissions, get_config_path, get_data_dir};
 use crate::gitlab::{GitLabClient, GitLabProject};
 
 pub struct InitInputs {
@@ -172,3 +173,141 @@ pub async fn run_init(inputs: InitInputs, options: InitOptions) -> Result<InitRe
         default_project: inputs.default_project,
     })
 }
+
+// ── token set / show ──
+
+pub struct TokenSetResult {
+    pub username: String,
+    pub config_path: String,
+}
+
+pub struct TokenShowResult {
+    pub token: String,
+    pub source: &'static str,
+}
+
+/// Read token from --token flag or stdin, validate against GitLab, store in config.
+pub async fn run_token_set(
+    config_path_override: Option<&str>,
+    token_arg: Option<String>,
+) -> Result<TokenSetResult> {
+    let config_path = get_config_path(config_path_override);
+
+    if !config_path.exists() {
+        return Err(LoreError::ConfigNotFound {
+            path: config_path.display().to_string(),
+        });
+    }
+
+    // Resolve token value: flag > stdin > error
+    let token = if let Some(t) = token_arg {
+        t.trim().to_string()
+    } else if !std::io::stdin().is_terminal() {
+        let mut buf = String::new();
+        std::io::stdin()
+            .read_to_string(&mut buf)
+            .map_err(|e| LoreError::Other(format!("Failed to read token from stdin: {e}")))?;
+        buf.trim().to_string()
+    } else {
+        return Err(LoreError::Other(
+            "No token provided. Use --token or pipe to stdin.".to_string(),
+        ));
+    };
+
+    if token.is_empty() {
+        return Err(LoreError::Other("Token cannot be empty.".to_string()));
+    }
+
+    // Load config to get the base URL for validation
+    let config = Config::load(config_path_override)?;
+
+    // Validate token against GitLab
+    let client = GitLabClient::new(&config.gitlab.base_url, &token, None);
+    let user = client.get_current_user().await.map_err(|e| {
+        if matches!(e, LoreError::GitLabAuthFailed) {
+            LoreError::Other("Token validation failed: authentication rejected by GitLab.".into())
+        } else {
+            e
+        }
+    })?;
+
+    // Read config as raw JSON, insert token, write back
+    let content = fs::read_to_string(&config_path)
+        .map_err(|e| LoreError::Other(format!("Failed to read config file: {e}")))?;
+
+    let mut json: serde_json::Value =
+        serde_json::from_str(&content).map_err(|e| LoreError::ConfigInvalid {
+            details: format!("Invalid JSON in config file: {e}"),
+        })?;
+
+    json["gitlab"]["token"] = serde_json::Value::String(token);
+
+    let output = serde_json::to_string_pretty(&json)
+        .map_err(|e| LoreError::Other(format!("Failed to serialize config: {e}")))?;
+    fs::write(&config_path, format!("{output}\n"))?;
+
+    // Enforce permissions
+    ensure_config_permissions(&config_path);
+
+    Ok(TokenSetResult {
+        username: user.username,
+        config_path: config_path.display().to_string(),
+    })
+}
+
+/// Show the current token (masked or unmasked) and its source.
+pub fn run_token_show(config_path_override: Option<&str>, unmask: bool) -> Result<TokenShowResult> {
+    let config = Config::load(config_path_override)?;
+
+    let source = config
+        .gitlab
+        .token_source()
+        .ok_or_else(|| LoreError::TokenNotSet {
+            env_var: config.gitlab.token_env_var.clone(),
+        })?;
+
+    let token = config.gitlab.resolve_token()?;
+
+    let display_token = if unmask { token } else { mask_token(&token) };
+
+    Ok(TokenShowResult {
+        token: display_token,
+        source,
+    })
+}
+
+fn mask_token(token: &str) -> String {
+    let len = token.len();
+    if len <= 8 {
+        "*".repeat(len)
+    } else {
+        let visible = &token[..4];
+        format!("{visible}{}", "*".repeat(len - 4))
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn mask_token_hides_short_tokens_completely() {
+        assert_eq!(mask_token(""), "");
+        assert_eq!(mask_token("a"), "*");
+        assert_eq!(mask_token("abcd"), "****");
+        assert_eq!(mask_token("abcdefgh"), "********");
+    }
+
+    #[test]
+    fn mask_token_reveals_first_four_chars_for_long_tokens() {
+        assert_eq!(mask_token("abcdefghi"), "abcd*****");
+        assert_eq!(mask_token("glpat-xyzABC123456"), "glpa**************");
+    }
+
+    #[test]
+    fn mask_token_boundary_at_nine_chars() {
+        // 8 chars → fully masked, 9 chars → first 4 visible
+        assert_eq!(mask_token("12345678"), "********");
+        assert_eq!(mask_token("123456789"), "1234*****");
+    }
+}

src/cli/commands/list_tests.rs

@@ -95,6 +95,7 @@ fn test_config(default_project: Option<&str>) -> Config {
         gitlab: GitLabConfig {
             base_url: "https://gitlab.example.com".to_string(),
             token_env_var: "GITLAB_TOKEN".to_string(),
+            token: None,
         },
         projects: vec![ProjectConfig {
             path: "group/project".to_string(),