feat(p1.6): mobile pairing via QR code

desktop/app.go

@@ -848,3 +848,44 @@ func (a *App) FetchRelayMe() (RelayMe, error) {
 	}
 	return out, nil
 }
+
+// PairingTokenResponse is what the renderer receives when generating a QR code.
+// Mirrors the relay's /api/pair/create response body.
+type PairingTokenResponse struct {
+	Token     string `json:"token"`
+	ExpiresAt int64  `json:"expires_at"`
+	QRURL     string `json:"qr_url"`
+}
+
+// CreatePairingToken asks the configured relay to mint a 5-minute single-use
+// pairing token for the desktop's current user and returns the response,
+// including the qr_url to encode into a QR code.
+func (a *App) CreatePairingToken() (PairingTokenResponse, error) {
+	if a.cfgStore == nil {
+		return PairingTokenResponse{}, fmt.Errorf("config store not ready")
+	}
+	cfg := a.cfgStore.Get()
+	if cfg.RelayURL == "" || cfg.RelayToken == "" {
+		return PairingTokenResponse{}, fmt.Errorf("no relay configured")
+	}
+	baseHTTP := strings.Replace(strings.Replace(cfg.RelayURL, "wss://", "https://", 1), "ws://", "http://", 1)
+	req, err := http.NewRequest("POST", baseHTTP+"/api/pair/create", strings.NewReader("{}"))
+	if err != nil {
+		return PairingTokenResponse{}, err
+	}
+	req.Header.Set("Authorization", "Bearer "+cfg.RelayToken)
+	req.Header.Set("Content-Type", "application/json")
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return PairingTokenResponse{}, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return PairingTokenResponse{}, fmt.Errorf("relay /api/pair/create returned status %d", resp.StatusCode)
+	}
+	var out PairingTokenResponse
+	if err := json.NewDecoder(resp.Body).Decode(&out); err != nil {
+		return PairingTokenResponse{}, err
+	}
+	return out, nil
+}

desktop/app_pairing_test.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestCreatePairingToken_PostsToRelayWithBearerAndReturnsParsed(t *testing.T) {
+	var gotAuth string
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path != "/api/pair/create" || r.Method != http.MethodPost {
+			t.Errorf("unexpected request: %s %s", r.Method, r.URL.Path)
+			http.NotFound(w, r)
+			return
+		}
+		gotAuth = r.Header.Get("Authorization")
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"token":      "pair_TESTVALUE",
+			"expires_at": int64(1748689200),
+			"qr_url":     "http://relay.test/pair?t=pair_TESTVALUE",
+		})
+	}))
+	t.Cleanup(srv.Close)
+
+	a := newRelayTestApp(t)
+	if err := a.cfgStore.Set(appConfig{RelayURL: srv.URL, RelayToken: "atk_localtest"}); err != nil {
+		t.Fatalf("seed cfgStore: %v", err)
+	}
+
+	got, err := a.CreatePairingToken()
+	if err != nil {
+		t.Fatalf("CreatePairingToken: %v", err)
+	}
+	if got.Token != "pair_TESTVALUE" {
+		t.Errorf("Token: got %q", got.Token)
+	}
+	if got.ExpiresAt != 1748689200 {
+		t.Errorf("ExpiresAt: got %d", got.ExpiresAt)
+	}
+	if !strings.HasPrefix(got.QRURL, "http://relay.test/pair?t=") {
+		t.Errorf("QRURL: got %q", got.QRURL)
+	}
+	if gotAuth != "Bearer atk_localtest" {
+		t.Errorf("Authorization: got %q", gotAuth)
+	}
+}
+
+func TestCreatePairingToken_NoRelayConfigured_Errors(t *testing.T) {
+	a := newRelayTestApp(t)
+	if _, err := a.CreatePairingToken(); err == nil {
+		t.Fatal("expected error when relay not configured")
+	}
+}