fix(docs): align README, plugin, and docs with source-of-truth

[zriyansh]

Summary

Aligns documentation with what the source actually does. All claims verified against agentrhq/authsome main at 3929b86 before editing.

Verified findings that drove the edits

Provider count. src/authsome/auth/bundled_providers/ has 45 JSONs: 14 OAuth2 + 31 API key. Notion ships two entries (notion + notion_dcr); Klaviyo ships two (klaviyo + klaviyo-oauth). The README and the plugin manifest said "44 / 13 OAuth"; corrected.

Master key path. paths.py:get_server_home() → .authsome/server. vault/crypto.py docstring: "master key stored in ~/.authsome/server/master.key". Three doc pages used the top-level path; corrected.

Architecture layer status. src/authsome/ has identity/ (Ed25519 keys, did:key, PoP JWT) and audit/ modules. The architecture page's Note saying "the alpha focuses on Vault and Auth" was straightforwardly wrong. Replaced with a status table reflecting reality. Only policy/ is genuinely planned.

Hosted daemon cross-reference. AUTHSOME_DAEMON_URL and AUTHSOME_SERVER_BASE_URL ship per the 0.2.4 changelog, but the threat model classifies hosted daemons as "Caveat (VPN only)" for private and "No" for public. Cross-reference added so adopters see the constraint at the feature announcement.

Files

• README.md — 44 → 45, 13 OAuth → 14 OAuth, run python → run -- python, authsome.agentr.dev → authsome.ai (consistent with fix(docs): repoint canonical to authsome.ai and drop dead links #271).
• .claude-plugin/marketplace.json — same provider-count correction.
• docs/site/security/threat-model.mdx — data-at-rest table and offline-disk paragraph.
• docs/site/security/encryption.mdx — local_key backend description.
• docs/site/troubleshooting/doctor.mdx — both FAIL accordions and the chmod remediation. Also routes users to authsome init instead of relying on side-effect-on-first-CLI-run.
• docs/site/concepts/credential-storage.mdx — local_key backend description.
• docs/site/concepts/architecture.mdx — per-layer status table replaces the stale Note. Also updates the Vault paragraph to reference ~/.authsome/server/kv_store/.
• docs/site/changelog.mdx — hosted daemon cross-reference.

Out of scope (tracked for follow-up PRs)

• Profile trees still show old layout. credential-storage.mdx and profiles-vs-connections.mdx display profiles/<name>/store.db as a top-level folder, which conflicts with the canonical server/kv_store/ layout in file-layout.mdx. The whole "profiles as folder" vs "profiles as key prefix" framing needs a dedicated rewrite.
• mitmproxy CA install procedure. 10 pages mention the CA; none provide install commands for macOS, Linux, or Windows. The doctor doesn't check for it either.
• Anthropic bundling. Currently a custom-provider register flow. Other major LLM keys (OpenAI) ship bundled.
• Marketing site sitemap lives in authsome-web/, separate repo.

Audit claims that turned out to be wrong

• --force is documented in the CLI reference under login (line 74) and register (line 228/231). No fix needed.
• whoami side effect is universal, not specific. ANY first CLI command triggers home-dir init; authsome init already exists as the explicit form.

Test plan

• After merge + Mintlify rebuild, verify the corrected provider count appears on /docs/reference/bundled-providers.
• Spot-check the architecture page renders the status table cleanly.
• Confirm the doctor remediation now points at the correct path: chmod 0600 ~/.authsome/server/master.key.