fix(dist-tag): support otp writes

[jdx]

Summary

• add --otp to dist-tag add/remove and pass it as npm-otp
• send npm-auth-type: web on dist-tag write requests for npmjs 2FA/web-auth compatibility
• cover write headers with a registry client test and expose --otp in dist-tag help/docs

Tests

• cargo fmt --check
• cargo test -p aube-registry dist_tag_writes_send_web_auth_and_otp_headers
• cargo check -p aube
• cargo build
• test/bats/bin/bats test/dist_tag.bats
• mise run test:bats test/dist_tag.bats (failed: GNU parallel is not installed in this environment)

This PR was generated by Codex.

---

Note

Medium Risk
Changes authenticated registry write behavior for dist-tags (2FA headers); scope is narrow but affects publish-adjacent npmjs flows.

Overview
Adds --otp to dist-tag add and dist-tag rm (usage spec, CLI, generated docs) and threads the value through to registry PUT/DELETE dist-tag writes as the npm-otp header when provided.

The registry client now accepts an optional OTP on put_dist_tag / delete_dist_tag, sets npm-auth-type: web on writes targeting public npmjs, and only sends npm-otp when --otp is set. Wiremock tests cover npmjs vs custom registries; Bats checks that help mentions --otp.

^{Reviewed by Cursor Bugbot for commit e73292b. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This PR adds --otp support to dist-tag add and dist-tag rm, wiring it through the CLI, registry client, and docs. It also sends npm-auth-type: web on write requests to public npmjs for 2FA/WebAuthn compatibility.

• put_dist_tag and delete_dist_tag both receive otp: Option<&str> and conditionally emit npm-otp; npm-auth-type: web is gated on is_public_npmjs(name) so custom registries are unaffected.
• Four new wiremock tests cover all header-presence combinations: public npmjs with/without OTP, custom registry with OTP only, and the no-OTP-header-absent path — directly addressing the gaps called out in earlier review rounds.

Confidence Score: 5/5

Safe to merge — changes are limited to two registry write methods with well-gated header logic and full test coverage across all branching paths.

All previously flagged issues are resolved: npm-auth-type: web is now correctly conditioned on is_public_npmjs, and the no-OTP path is explicitly tested. The change is narrow in scope, touches only dist-tag write paths, and is backed by four new integration-style tests.

No files require special attention.

Important Files Changed

Filename	Overview
crates/aube-registry/src/client/endpoints.rs	Adds otp: Option<&str> to put_dist_tag and delete_dist_tag; conditionally sends npm-auth-type: web (npmjs only) and npm-otp (when OTP provided). Logic is correct and consistent between both methods.
crates/aube-registry/src/client/retry_tests.rs	Adds four new tests covering: web-auth header for public npmjs (with and without OTP), OTP-only for custom registries, and absence of npm-otp when None. Addresses both gaps flagged in earlier review threads.
crates/aube/src/commands/dist_tag.rs	Adds otp: Option<String> to Add and Rm enum variants and threads it through to the registry client calls correctly.
aube.usage.kdl	Adds --otp <OTP> flag definitions to both dist-tag add and dist-tag rm subcommands in the usage spec.
test/dist_tag.bats	Extends existing bats tests to assert --otp appears in help output for both add and remove.
docs/cli/dist-tag/add.md	Generated docs updated to include --otp in usage line and a new Flags section.
docs/cli/dist-tag/rm.md	Generated docs updated to include --otp in usage line and a new Flags section.

_{Reviews (6): Last reviewed commit: "test(registry): cover public dist-tag ot..." | Re-trigger Greptile}