refactor(ollama)!: remove Ollama provider crate and implementation

Deletes the `owlen-ollama` Cargo.toml and source files, fully removing the Ollama provider from the workspace. This aligns the project with the MCP‑only architecture and eliminates direct provider dependencies.

docs/configuration.md

@@ -133,13 +133,28 @@ base_url = "https://ollama.com"
 
 ### Using Ollama Cloud
 
-To talk to [Ollama Cloud](https://docs.ollama.com/cloud), point the base URL at the hosted endpoint and supply your API key:
+Owlen now ships a single unified `ollama` provider. When an API key is present, Owlen automatically routes traffic to [Ollama Cloud](https://docs.ollama.com/cloud); otherwise it talks to the local daemon. A minimal configuration looks like this:
 
 ```toml
-[providers.ollama-cloud]
-provider_type = "ollama-cloud"
-base_url = "https://ollama.com"
+[providers.ollama]
+provider_type = "ollama"
+base_url = "http://localhost:11434"   # ignored once an API key is supplied
 api_key = "${OLLAMA_API_KEY}"
 ```
 
 Requests target the same `/api/chat` endpoint documented by Ollama and automatically include the API key using a `Bearer` authorization header. If you prefer not to store the key in the config file, you can leave `api_key` unset and provide it via the `OLLAMA_API_KEY` (or `OLLAMA_CLOUD_API_KEY`) environment variable instead. You can also reference an environment variable inline (for example `api_key = "$OLLAMA_API_KEY"` or `api_key = "${OLLAMA_API_KEY}"`), which Owlen expands when the configuration is loaded. The base URL is normalised automatically—Owlen enforces HTTPS, trims trailing slashes, and accepts both `https://ollama.com` and `https://api.ollama.com` without rewriting the host.
+
+> **Tip:** If the official `ollama signin` flow fails on Linux v0.12.3, follow the [Linux Ollama sign-in workaround](#linux-ollama-sign-in-workaround-v0123) in the troubleshooting guide to copy keys from a working machine or register them manually.
+
+### Managing cloud credentials via CLI
+
+Owlen now ships with an interactive helper for Ollama Cloud:
+
+```bash
+owlen cloud setup          # Prompt for your API key (or use --api-key)
+owlen cloud status         # Verify authentication/latency
+owlen cloud models         # List the hosted models your account can access
+owlen cloud logout         # Forget the stored API key
+```
+
+When `privacy.encrypt_local_data = true`, the API key is written to Owlen's encrypted credential vault instead of being persisted in plaintext. Subsequent invocations automatically load the key into the runtime environment so that the config file can remain redacted. If encryption is disabled, the key is stored under `[providers.ollama-cloud].api_key` as before.

docs/troubleshooting.md

@@ -40,11 +40,68 @@ If Owlen is not behaving as you expect, there might be an issue with your config
 
 ## Ollama Cloud Authentication Errors
 
-If you see `Auth` errors when using the `ollama-cloud` provider:
+If you see `Auth` errors when using the hosted service:
 
-1. Ensure `providers.ollama-cloud.api_key` is set **or** export `OLLAMA_API_KEY` / `OLLAMA_CLOUD_API_KEY` before launching Owlen.
-2. Confirm the key has access to the requested models.
-3. Avoid pasting extra quotes or whitespace into the config file—`owlen config doctor` will normalise the entry for you.
+1. Run `owlen cloud setup` to register your API key (with `--api-key` for non-interactive use).
+2. Use `owlen cloud status` to verify Owlen can authenticate against [Ollama Cloud](https://docs.ollama.com/cloud).
+3. Ensure `providers.ollama.api_key` is set **or** export `OLLAMA_API_KEY` / `OLLAMA_CLOUD_API_KEY` when encryption is disabled. With `privacy.encrypt_local_data = true`, the key lives in the encrypted vault and is loaded automatically.
+4. Confirm the key has access to the requested models.
+5. Avoid pasting extra quotes or whitespace into the config file—`owlen config doctor` will normalise the entry for you.
+
+### Linux Ollama Sign-In Workaround (v0.12.3)
+
+Ollama v0.12.3 on Linux ships with a broken `ollama signin` command. Until you can upgrade to ≥0.12.4, use one of the manual workflows below to register your key pair.
+
+#### 1. Manual key copy
+
+1. **Locate (or generate) keys on Linux**
+   ```bash
+   ls -la /usr/share/ollama/.ollama/
+   sudo systemctl start ollama   # start the service if the directory is empty
+   ```
+2. **Copy keys from a working Mac**
+   ```bash
+   # On macOS (source machine)
+   cat ~/.ollama/id_ed25519.pub
+   cat ~/.ollama/id_ed25519
+   ```
+   ```bash
+   # On Linux (target machine)
+   sudo systemctl stop ollama
+   sudo mkdir -p /usr/share/ollama/.ollama
+   sudo tee /usr/share/ollama/.ollama/id_ed25519.pub <<'EOF'
+   <paste mac public key>
+   EOF
+   sudo tee /usr/share/ollama/.ollama/id_ed25519 <<'EOF'
+   <paste mac private key>
+   EOF
+   sudo chown -R ollama:ollama /usr/share/ollama/.ollama/
+   sudo chmod 600 /usr/share/ollama/.ollama/id_ed25519
+   sudo chmod 644 /usr/share/ollama/.ollama/id_ed25519.pub
+   sudo systemctl start ollama
+   ```
+
+#### 2. Manual web registration
+
+1. Read the Linux public key:
+   ```bash
+   sudo cat /usr/share/ollama/.ollama/id_ed25519.pub
+   ```
+2. Open <https://ollama.com/settings/keys> and paste the public key.
+
+After either method, confirm access:
+
+```bash
+ollama list
+```
+
+#### Troubleshooting
+
+- Permissions: `sudo chown -R ollama:ollama /usr/share/ollama/.ollama/` then re-apply `chmod` (`600` private, `644` public).
+- Service status: `sudo systemctl status ollama` and `sudo journalctl -u ollama -f`.
+- Alternate paths: Some distros run Ollama as a user process (`~/.ollama`). Copy the keys into that directory if `/usr/share/ollama/.ollama` is unused.
+
+This workaround mirrors what `ollama signin` should do—register the key pair with Ollama Cloud—without waiting for the patched release. Once you upgrade to v0.12.4 or newer, the interactive sign-in command works again.
 
 ## Performance Tuning