feat(jellyfin): move auth to env and stored session

backlog/tasks/task-93 - Remove-Jellyfin-token-userId-from-config-use-env-and-stored-session.md

@@ -0,0 +1,32 @@
+---
+id: TASK-93
+title: Remove Jellyfin token/userId from config; use env override and stored session
+status: Done
+assignee: []
+created_date: '2026-02-21 04:20'
+updated_date: '2026-02-21 04:27'
+labels: []
+dependencies: []
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Remove `jellyfin.accessToken` and `jellyfin.userId` from editable config surface. Resolve Jellyfin auth via env override (`SUBMINER_JELLYFIN_ACCESS_TOKEN`, optional `SUBMINER_JELLYFIN_USER_ID`) and locally stored Jellyfin auth session payload persisted by login/setup.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 `jellyfin.accessToken` and `jellyfin.userId` no longer parsed/documented as config fields.
+- [ ] #2 Jellyfin login/setup persists token + userId in local encrypted session store.
+- [ ] #3 Jellyfin runtime resolves auth from env override first, then stored session payload.
+- [ ] #4 Jellyfin logout clears stored session payload.
+- [ ] #5 Runtime tests cover env override + stored session fallback behavior.
+<!-- AC:END -->
+
+## Implementation Notes
+
+<!-- SECTION:NOTES:BEGIN -->
+Implemented: evolved `jellyfin-token-store` to encrypted session payload store (`accessToken` + `userId`), updated Jellyfin resolver precedence to env-first (`SUBMINER_JELLYFIN_ACCESS_TOKEN`, optional `SUBMINER_JELLYFIN_USER_ID`) then stored session fallback, removed `jellyfin.accessToken`/`jellyfin.userId` from config defaults+parsing+public docs/example, and updated CLI/setup auth wiring to persist/clear session store while keeping `serverUrl`/`username` config behavior.
+<!-- SECTION:NOTES:END -->