fix(publish): prompt for OTP on registry challenge

[jdx]

Summary

• detect npm OTP challenges from publish PUT failures
• prompt for an OTP and retry once when interactive and --otp was not provided
• return a clear --otp <CODE> hint in non-interactive runs

Addresses https://github.com/endevco/aube/discussions/345#discussioncomment-17049217.

Validation

• cargo fmt --check
• git diff --check
• cargo test -p aube commands::publish::tests
• cargo build

This PR was generated by Codex.

---

Note

Medium Risk
Changes publish authentication flow and registry PUT retry behavior; mistakes in OTP detection could prompt incorrectly or skip needed 2FA, though scope is limited to the publish command.

Overview
Publish now treats registry 401/403 responses that look like an OTP/2FA challenge as recoverable when --otp was not passed: the PUT is retried once after collecting a code (masked interactive prompt via demand, or a clear --otp <CODE> error when stdin/stderr are not a TTY).

The one-shot PUT path is factored into send_publish_put returning structured PublishHttpFailure, with publish_failure_needs_otp parsing common npm messages (EOTP, missing npm-otp, “two-factor … required”, etc.) so plain bad-token failures are not mistaken for OTP prompts. Unit tests cover those detection cases.

^{Reviewed by Cursor Bugbot for commit e327d22. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds OTP (one-time password) challenge handling to aube publish. When a PUT to the registry responds with a 401/403 that looks like an OTP requirement and --otp was not supplied, the CLI prompts for the code interactively (masked input via demand) and retries once; in non-interactive environments it returns a clear --otp <CODE> hint instead.

• Publish PUT is extracted into send_publish_put, returning miette::Result<Result<(), PublishHttpFailure>> so HTTP-level failures are structured and inspectable before deciding whether to retry.
• publish_failure_needs_otp implements a heuristic matching common npm OTP error patterns (EOTP, npm-otp, two-factor, 2FA with "required").
• Seven unit tests cover both positive and negative detection cases.

Confidence Score: 5/5

Safe to merge; the retry is bounded to a single attempt and only fires when the registry explicitly signals an OTP requirement with no --otp already supplied.

The refactor is clean and well-tested with seven targeted unit tests covering both positive and negative OTP detection cases. The existing --otp flow is unchanged.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube/src/commands/publish.rs	Adds OTP challenge detection, interactive prompt via demand, and single retry. Refactoring is clean; retry is correctly bounded and gated on --otp absence. Minor: the OTP retry guard doesn't exclude the trusted-publish path.

_{Reviews (4): Last reviewed commit: "fix(publish): prompt for OTP on registry..." | Re-trigger Greptile}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 6ddf592. Configure here.}