refactor: architecture revision — modular monolith, auth-commit, event protobuf, privacy-from-day-0

- ADR-0003: modular monolith for Phase 0 with documented extraction triggers
- ADR-0004: Auth.js + OIDC-shaped boundary; dedicated provider when mobile ships
- ADR-0005: protobuf for events, OpenAPI for HTTP, schema-registry CI gate
- New architecture docs: data-model, metrics (magic proxies), privacy (Phase-0 feature)
- Prime directives updated: privacy-as-feature, modular-by-package-deployable-by-stage
- Roadmap revised: Apple OAuth deferred to M1; web push in M1; k3s intermediate; tip-kind-aware UI
- PLAN updated: Phase-0 deletion endpoint, metrics baseline, compose profiles, import-boundary lint
- License decision in README (ARR with OSS plan in Phase 5)

services/integrations/README.md

@@ -7,11 +7,14 @@ Third-party connectors and the token vault.
 ```ts
 interface Connector {
   id: string                                // e.g. "todoist"
+  scopes: string[]                          // human-readable list shown in consent UI
   beginOAuth(user): Promise<{ redirectUrl, state }>
   finishOAuth(code, state): Promise<StoredCredential>
   fetchSignals(user, since?): AsyncIterable<NormalizedEvent>
-  // optional write-back, e.g. mark task done
-  act?(user, action): Promise<void>
+  // incremental-sync cursor (Todoist sync_token, webhook timestamps, etc.)
+  // stored in Credential.meta; the connector owns its shape.
+  act?(user, action): Promise<void>          // optional write-back (complete task, etc.)
+  revoke(user): Promise<void>                // REQUIRED: provider-side token revocation on disconnect
 }
 ```