docs: Add PRD for browser-based auth in aws/user identity (#1887)

* docs: Add PRD for AWS browser-based authentication (aws/login provider)

Add product requirements document for implementing browser-based OAuth2
authentication for root and IAM identities using the AWS CLI login command.
Covers user stories, technical details, requirements, configuration schema,
and implementation approach.

🤖 Generated with Claude Code

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* docs: Update PRD to use native SDK instead of AWS CLI wrapper

Change implementation approach from wrapping `aws login` CLI command
to native OAuth2 Authorization Code flow with PKCE using AWS SDK.
Removes external AWS CLI dependency requirement.

🤖 Generated with Claude Code

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* docs: Update PRD - integrate webflow into aws/user identity

Change approach from new aws/login provider to enhancing existing
aws/user identity with browser authentication as a fallback:

1. YAML config credentials (highest priority)
2. Keychain credentials via `atmos auth user configure`
3. Browser webflow authentication (NEW - fallback)

This provides zero-config authentication while maintaining backward
compatibility with existing aws/user configurations.

🤖 Generated with Claude Code

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* docs: Add browser-based auth milestone to roadmap

Add planned milestone for OAuth2 browser authentication as fallback
for aws/user identity (PR #1887) to the auth initiative roadmap.

🤖 Generated with Claude Code

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* docs: Fix FR-4/NFR-1 requirements contradiction in PRD

Remove AWS CLI version validation requirement (FR-4) which conflicted
with NFR-1 (native SDK implementation, no AWS CLI dependency).

Updated functional requirements:
- FR-3: Cache credentials in atmos credential store (not AWS CLI cache)
- FR-4: Role chaining integration (was FR-5)
- Renumbered remaining requirements

🤖 Generated with Claude Code

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

* docs: Remove stale AWS CLI references from testing section

Update testing strategy to align with native SDK implementation:
- Remove AWS CLI version detection test (contradicts NFR-1)
- Add OAuth2 PKCE flow (mocked HTTP server) test
- Update terminology from CLI failures to authentication failures

* docs: Fix broken link in PRD references

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: Address review feedback on AWS browser auth PRD

- Differentiate root vs IAM user prerequisites (root does not need
  SignInLocalDevelopmentAccess policy or signin:* actions)
- Clarify SCP behavior for root vs IAM principals
- Resolve open questions: webflow credentials cached in keychain,
  webflow_enabled toggle for disabling fallback
- Remove duplicate auto-detection question (already covered by FR-7)
- Replace unrelated IAM Identity Center reference with AWS Signin
  Service Authorization Reference
- Specify ephemeral port strategy for local callback server
- Add language tags to fenced code blocks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: Address second round of review feedback on AWS browser auth PRD

- Add webflow_enabled field to configuration schema with default true
- Clarify credential storage uses atmos keychain (not AWS CLI cache),
  consistent with Design Decision 1 and NFR-1
- Add RFC 8252 Section 7.3 reference for loopback redirect_uri port
  acceptance
- Update stale PR title in roadmap prs array

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: Rewrite PRD intro to frame AWS browser auth in context

Rework Overview and Problem Statement to explain the historical
limitation of IAM static credentials, AWS's recent introduction of
browser-based auth for IAM/root, and the gap in Atmos's aws/user
identity. Link to the AWS announcement blog post.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* docs: Update PRD storage path, examples, and headless mode approach

- Use XDG data directory for credential storage instead of ~/.aws path
- Label example configs as "Existing, Unaffected by Webflow"
- Replace --remote flag with existing --interactive=false global flag
  throughout (FR-2, FR-7, US-4, UX examples, docs, rollout plan)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com>

Author: Benbentwo