feat(auth): add hotdata auth register command

Opens the browser to /auth/cli-register/ with PKCE params, waits for
the provisioning-complete callback from the webapp, then exchanges the
CLIAuthCode for a full JWT session (via mint_from_api_token) so the
on-disk state is identical to a normal hotdata auth login.

Changes:
- auth.rs: add register(), refactor receive_callback to accept
  success_title/success_body for the browser confirmation page
- jwt.rs: add exchange_cli_register_code — POSTs code+verifier to
  /v1/auth/token, gets opaque API token, mints JWT session from it
- command.rs: add Register variant to AuthCommands
- main.rs: dispatch AuthCommands::Register to auth::register()

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: eddietejeda

src/auth.rs

@@ -169,7 +169,13 @@ struct WsListResponse { workspaces: Vec<WsItem> }
 struct WsItem { public_id: String, name: String }
 
 /// Wait for the browser callback, verify state, and extract the authorization code.
-fn receive_callback(server: &tiny_http::Server, expected_state: &str) -> Result<String, String> {
+/// `success_title` and `success_body` are rendered in the browser tab on success.
+fn receive_callback(
+    server: &tiny_http::Server,
+    expected_state: &str,
+    success_title: &str,
+    success_body: &str,
+) -> Result<String, String> {
     let request = server.recv().map_err(|e| format!("failed to receive callback: {e}"))?;
     let raw_url = request.url().to_string();
     let params = parse_query_params(&raw_url);
@@ -187,33 +193,34 @@ fn receive_callback(server: &tiny_http::Server, expected_state: &str) -> Result<
         }
     };
 
-    let html = r#"<!DOCTYPE html>
+    let html = format!(
+        r#"<!DOCTYPE html>
 <html lang="en">
 <head>
   <meta charset="UTF-8" />
   <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-  <title>Hotdata — Login Successful</title>
+  <title>Hotdata — {success_title}</title>
   <style>
-    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
-    body {
+    *, *::before, *::after {{ box-sizing: border-box; margin: 0; padding: 0; }}
+    body {{
       font-family: ui-sans-serif, system-ui, -apple-system, sans-serif;
       background: #111827;
       color: #e5e7eb;
       display: flex;
       align-items: center;
       justify-content: center;
       min-height: 100vh;
-    }
-    .card {
+    }}
+    .card {{
       background: #1f2937;
       border: 1px solid #374151;
       border-radius: 0.5rem;
       padding: 2.5rem;
       max-width: 420px;
       width: 100%;
       text-align: center;
-    }
-    .icon {
+    }}
+    .icon {{
       width: 48px;
       height: 48px;
       background: #14532d;
@@ -222,10 +229,10 @@ fn receive_callback(server: &tiny_http::Server, expected_state: &str) -> Result<
       align-items: center;
       justify-content: center;
       margin: 0 auto 1.25rem;
-    }
-    .icon svg { width: 24px; height: 24px; stroke: #86efac; }
-    h1 { font-size: 1.25rem; font-weight: 600; color: #f3f4f6; margin-bottom: 0.5rem; }
-    p { font-size: 0.875rem; color: #9ca3af; line-height: 1.5; }
+    }}
+    .icon svg {{ width: 24px; height: 24px; stroke: #86efac; }}
+    h1 {{ font-size: 1.25rem; font-weight: 600; color: #f3f4f6; margin-bottom: 0.5rem; }}
+    p {{ font-size: 0.875rem; color: #9ca3af; line-height: 1.5; }}
   </style>
 </head>
 <body>
@@ -235,11 +242,12 @@ fn receive_callback(server: &tiny_http::Server, expected_state: &str) -> Result<
         <path stroke-linecap="round" stroke-linejoin="round" d="M4.5 12.75l6 6 9-13.5" />
       </svg>
     </div>
-    <h1>Login successful</h1>
-    <p>You're now authenticated with Hotdata.<br/>You can close this tab and return to the terminal.</p>
+    <h1>{success_title}</h1>
+    <p>{success_body}</p>
   </div>
 </body>
-</html>"#;
+</html>"#
+    );
     let response = tiny_http::Response::from_string(html).with_header(
         "Content-Type: text/html"
             .parse::<tiny_http::Header>()
@@ -318,7 +326,12 @@ pub fn login() {
 
     println!("Waiting for login callback...");
 
-    let code = match receive_callback(&server, &state) {
+    let code = match receive_callback(
+        &server,
+        &state,
+        "Login successful",
+        "You're now authenticated with Hotdata.<br/>You can close this tab and return to the terminal.",
+    ) {
         Ok(c) => c,
         Err(e) => {
             eprintln!("error: {e}");
@@ -358,6 +371,107 @@ pub fn login() {
     }
 }
 
+pub fn register() {
+    let profile_config = config::load("default").unwrap_or_default();
+    let app_url = profile_config.app_url.to_string();
+
+    if is_already_signed_in(&profile_config) {
+        println!(
+            "{}",
+            "You are already signed in. Use 'hotdata auth login' to log in with a different account.".green()
+        );
+        return;
+    }
+
+    let code_verifier = generate_code_verifier();
+    let code_challenge = generate_code_challenge(&code_verifier);
+    let state = generate_random_string(32);
+
+    let server =
+        tiny_http::Server::http("127.0.0.1:0").expect("failed to start local callback server");
+    let port = server.server_addr().to_ip().unwrap().port();
+
+    let register_url = format!(
+        "{app_url}/auth/cli-register/\
+        ?code_challenge={code_challenge}\
+        &code_challenge_method=S256\
+        &state={state}\
+        &callback_port={port}",
+        app_url = app_url.trim_end_matches('/'),
+    );
+
+    println!("Opening browser to create your account...");
+    stdout()
+        .execute(Print("If your browser does not open, visit:\n  "))
+        .unwrap()
+        .execute(SetForegroundColor(Color::DarkGrey))
+        .unwrap()
+        .execute(Print(format!("{register_url}\n")))
+        .unwrap()
+        .execute(ResetColor)
+        .unwrap();
+
+    if let Err(e) = open::that(&register_url) {
+        eprintln!("failed to open browser: {e}");
+    }
+
+    println!("Waiting for account setup to complete...");
+
+    let code = match receive_callback(
+        &server,
+        &state,
+        "Account created",
+        "Your Hotdata account is ready.<br/>You can close this tab and return to the terminal.",
+    ) {
+        Ok(c) => c,
+        Err(e) => {
+            eprintln!("error: {e}");
+            std::process::exit(1);
+        }
+    };
+
+    match crate::jwt::exchange_cli_register_code(&profile_config, &code, &code_verifier) {
+        Ok(session) => {
+            if let Err(e) = crate::jwt::save_session(&session) {
+                eprintln!("warning: could not save session: {e}");
+            }
+            stdout()
+                .execute(SetForegroundColor(Color::Green))
+                .unwrap()
+                .execute(Print("Account created and logged in.\n"))
+                .unwrap()
+                .execute(ResetColor)
+                .unwrap();
+
+            let workspaces = cache_workspaces(&profile_config, &session.access_token)
+                .unwrap_or(profile_config.workspaces);
+            match workspaces.first() {
+                Some(w) => {
+                    print_row(
+                        "Workspace",
+                        &format!(
+                            "{} {}",
+                            w.name.as_str().cyan(),
+                            format!("({})", w.public_id).dark_grey()
+                        ),
+                    );
+                    print_row(
+                        "",
+                        &"use 'hotdata workspaces set' to switch workspaces"
+                            .dark_grey()
+                            .to_string(),
+                    );
+                }
+                None => print_row("Workspace", &"None".dark_grey().to_string()),
+            }
+        }
+        Err(msg) => {
+            eprintln!("{}", msg.red());
+            std::process::exit(1);
+        }
+    }
+}
+
 /// Fetch workspaces with a freshly minted JWT and cache them in config.
 /// Returns the freshly fetched list so callers can display it without
 /// having to reload config from disk.
@@ -650,7 +764,7 @@ mod tests {
                 .unwrap();
         });
 
-        let result = receive_callback(&server, "expected-state");
+        let result = receive_callback(&server, "expected-state", "", "");
         handle.join().unwrap();
 
         assert_eq!(result.unwrap(), "test-auth-code");
@@ -670,7 +784,7 @@ mod tests {
                 .send();
         });
 
-        let result = receive_callback(&server, "expected-state");
+        let result = receive_callback(&server, "expected-state", "", "");
         handle.join().unwrap();
 
         assert!(result.is_err());
@@ -754,7 +868,7 @@ mod tests {
                 .send();
         });
 
-        let result = receive_callback(&server, "expected-state");
+        let result = receive_callback(&server, "expected-state", "", "");
         handle.join().unwrap();
 
         assert!(result.is_err());

src/command.rs

@@ -274,6 +274,9 @@ pub enum AuthCommands {
     /// Log in via browser (same as `hotdata auth` with no subcommand)
     Login,
 
+    /// Create a new account via browser
+    Register,
+
     /// Remove authentication for a profile
     Logout,
 

src/jwt.rs

@@ -153,6 +153,49 @@ fn redacted_form_body(params: &[(&str, &str)]) -> serde_json::Value {
 /// body so the caller can still parse real values out of it.
 const TOKEN_REDACT_KEYS: &[&str] = &["access_token", "refresh_token"];
 
+/// Exchange a CLI registration PKCE code for a session.
+///
+/// The `/auth/cli-register/` flow issues a short-lived `CLIAuthCode` (not a
+/// full OAuth code). This function POSTs it to `/v1/auth/token` to get an
+/// opaque API token, then immediately mints a full JWT session via
+/// `mint_from_api_token` so the on-disk state is identical to a normal login.
+pub fn exchange_cli_register_code(
+    profile: &config::ProfileConfig,
+    code: &str,
+    code_verifier: &str,
+) -> Result<Session, String> {
+    let url = format!("{}/v1/auth/token", oauth_base(profile));
+    let body = serde_json::json!({ "code": code, "code_verifier": code_verifier });
+    let body_log = serde_json::json!({
+        "code": util::mask_credential(code),
+        "code_verifier": util::mask_credential(code_verifier),
+    });
+
+    let client = reqwest::blocking::Client::new();
+    let req = client.post(&url).json(&body);
+    let (status, body_text) = util::send_debug_with_redaction(
+        &client,
+        req,
+        Some(&body_log),
+        &["token"],
+    )
+    .map_err(|e| format!("connection error: {e}"))?;
+    if !status.is_success() {
+        return Err(format!(
+            "registration token exchange failed: HTTP {status}: {body_text}"
+        ));
+    }
+
+    #[derive(Deserialize)]
+    struct RegisterResponse {
+        token: String,
+    }
+    let resp: RegisterResponse = serde_json::from_str(&body_text)
+        .map_err(|e| format!("malformed token response: {e}"))?;
+
+    mint_from_api_token(profile, &resp.token)
+}
+
 /// Exchange a PKCE authorization code for a session.
 pub fn mint_from_pkce_code(
     profile: &config::ProfileConfig,

src/main.rs

@@ -158,6 +158,7 @@ fn main() {
         Some(cmd) => match cmd {
             Commands::Auth { command } => match command {
                 None | Some(AuthCommands::Login) => auth::login(),
+                Some(AuthCommands::Register) => auth::register(),
                 Some(AuthCommands::Status) => auth::status("default"),
                 Some(AuthCommands::Logout) => auth::logout("default"),
             },