Plaintext TOML credential storage at ~/.config/mlf/credentials.toml (global) and /.mlf/credentials.toml (project-local, opt-in via --project, meant for CI). Files are written mode 0600 on Unix. One [pds] section carrying handle + app_password + did/pds cache; one [dns.] section per configured DNS provider whose fields come from the plugin's options_schema and are preserved on round-trip.
mlf login [pds|dns ] validates credentials before writing — PDS login runs handle→DID→PDS resolution via mlf-atproto::identity (adding resolve_handle_to_did with DNS+well-known fallback) and calls createSession; DNS plugin login spawns the plugin binary, collects schema fields via --flag=value → prompt fallback, forwards them via init, and asks the plugin to validate via its login op. Credentials returned from login replace whatever we collected so plugins can normalise them.
mlf logout [pds|dns []] mirrors the login tree and rewrites the credentials file minus the targeted sections. --non-interactive on login errors with the exact flag name for any missing field instead of prompting.