add three-QR signup ceremony to the Android app (ADR 0023 phone-side)

The dashboard demo at /demo/registration was driving the phone-side
endpoints through a simulator. This commit adds the actual Kotlin
client so the same flow runs against the live backend from a real
phone (sideloaded APK).

What lands:

  net/RegistrationApi.kt      — Retrofit binding for the three
                                phone-side endpoints (POST
                                /v1/registrations/{pair-device,
                                submit-commitment, complete}) plus
                                request/response DTOs. Same OkHttp +
                                Json stack as ZeroAuthApi; pulled out
                                into ApiFactory.createRegistrationApi
                                so callers that only need the new
                                surface skip the W3 init cost.

  util/RegQrPayload.kt        — Parser for the QR deeplinks:
                                zeroauth://reg?step=<pair|enroll|verify>
                                &session=<uuid>&code=ZA-XXXX-XXXX
                                [&challenge=<32-hex>]. Returns
                                Result.failure with stable string
                                codes (reg_qr_parse_failed,
                                reg_qr_missing_field,
                                reg_qr_bad_code_shape,
                                reg_qr_bad_challenge_shape) so the UI
                                routes errors without a try/catch.

  util/DeviceFingerprint.kt   — Builds the >= 16-char opaque
                                fingerprint string the server hashes.
                                Composition: android:<appId>:
                                <ANDROID_ID>:<install_uuid>; result
                                SHA-256-hex'd. Per-install UUID lives
                                in SharedPreferences so the same
                                install always produces the same
                                fingerprint (lets the same row in the
                                devices table re-enroll on
                                code-regenerate).

  ui/reg/RegistrationViewModel.kt — State machine:
                                Idle → Pairing → AwaitingEnrollScan
                                → Committing → AwaitingVerifyScan →
                                Verifying → Completed | Failed.
                                onQrText(text) parses, branches by
                                step, and POSTs. BiometricSecretSource
                                and ProofGenerator are injection seams
                                so Phase 1 Sprint 4 can swap the
                                StubProofGenerator for the real
                                WebViewMobileProver.

  ui/reg/RegistrationHelpers.kt — Default injections:
                                PerInstallStableSecret persists a
                                32-byte secret in SharedPreferences so
                                step 2 and step 3 derive the same
                                commitment (without that, the verify
                                step's publicSignals[0] check fails).
                                DeriveDidAndCommitment computes
                                Poseidon.hash2(secret, zeroSalt) and
                                derives the DID suffix. StubProofGenerator
                                returns a structurally valid Groth16
                                envelope — the server's verifier will
                                reject it (intentionally) until the
                                real prover lands.

  ui/reg/RegistrationScreen.kt — Compose UI. Paste-deeplink only for
                                V1 (the camera scan path mirrors
                                ui/scan/ScanScreen.kt's ML Kit +
                                CameraX pipeline and gets wired in
                                Phase 1 Sprint 4). Step badge,
                                progress indicators, terminal
                                Completed / Failed cards.

  ui/SplashScreen.kt          — Second CTA "Create a new account
                                (3-QR signup)" routes to the new flow.
                                Original "Sign in" CTA unchanged.

  nav/Nav.kt                  — New Screen.Registration entry +
                                composable route.

Tests:

  test/util/RegQrPayloadTest.kt — 11 Robolectric tests covering the
                                happy path for each step + every
                                stable error code (wrong scheme, wrong
                                host, unknown step, missing
                                session/code, malformed code/challenge,
                                verify-without-challenge).

Verify (CI):
  .github/workflows/android.yml runs ./gradlew assembleDebug + test
  on every push that touches android/**. The local toolchain in this
  environment doesn't have gradle/android SDK installed (the wrapper
  jar is gitignored per README), so the validation falls to CI.

How to install on a phone:
  cd android
  gradle wrapper --gradle-version 8.7
  ./gradlew :app:installDebug   # adb-attached device

Author: Pulkit Pareek

android/README.md

@@ -11,12 +11,27 @@ real and demoable. The snarkjs prover, the Retrofit `/v1/proof-pairing`
 client, the Keystore-bound credential, the Biometric prompt — those
 all land in the follow-on prover-glue sprint task.
 
+**ADR 0023 three-QR end-user signup ceremony** lives alongside the W3
+QR-sign-in flow. The Splash screen has a second CTA ("Create a new
+account (3-QR signup)") that routes to `RegistrationScreen` —
+paste-deeplink only for V1 (the camera scan path reuses the existing
+ScanScreen's ML Kit pipeline and gets wired in Phase 1 Sprint 4
+alongside the real FaceEmbedder pipeline from `mobile/biometric/`).
+The phone-side endpoints (`POST /v1/registrations/{pair-device,
+submit-commitment, complete}`) are bound via `net/RegistrationApi.kt`;
+the deeplink parser is `util/RegQrPayload.kt`; the orchestrator is
+`ui/reg/RegistrationViewModel.kt`. See
+[ADR 0023](../adr/0023-three-qr-signup-ceremony.md) for the wire
+protocol + state machine.
+
 See:
 
 - [ADR-0009 — QR proof-pairing protocol](../adr/0009-qr-proof-pairing-protocol.md)
 - [ADR-0010 — Android WebView snarkjs bundling](../adr/0010-android-webview-snarkjs-bundling.md)
+- [ADR 0023 — Three-QR end-user signup ceremony](../adr/0023-three-qr-signup-ceremony.md)
 - [`docs/api_contract.md`](../docs/api_contract.md) — the four
-  `/v1/proof-pairing/*` endpoints.
+  `/v1/proof-pairing/*` endpoints + the six `/v1/registrations/*`
+  endpoints.
 
 ## Prerequisites
 

android/app/src/main/java/dev/zeroauth/android/nav/Nav.kt

@@ -10,6 +10,7 @@ import androidx.navigation.navArgument
 import dev.zeroauth.android.ui.DoneScreen
 import dev.zeroauth.android.ui.EnrollScreen
 import dev.zeroauth.android.ui.SplashScreen
+import dev.zeroauth.android.ui.reg.RegistrationScreen
 import dev.zeroauth.android.ui.scan.ScanScreen
 
 /**
@@ -28,6 +29,8 @@ sealed class Screen(val route: String) {
     data object Splash : Screen("splash")
     data object Enroll : Screen("enroll")
     data object Scan   : Screen("scan")
+    /** ADR 0023 three-QR end-user signup ceremony. */
+    data object Registration : Screen("registration")
 
     data object Done : Screen("done?payload={payload}") {
         const val ARG_PAYLOAD = "payload"
@@ -56,6 +59,19 @@ fun ZeroAuthNavHost() {
                         popUpTo(Screen.Splash.route) { inclusive = true }
                     }
                 },
+                onCreateAccount = {
+                    navController.navigate(Screen.Registration.route)
+                },
+            )
+        }
+
+        composable(Screen.Registration.route) {
+            RegistrationScreen(
+                onDone = {
+                    navController.navigate(Screen.Splash.route) {
+                        popUpTo(0) { inclusive = true }
+                    }
+                },
             )
         }
 

android/app/src/main/java/dev/zeroauth/android/net/Api.kt

@@ -124,7 +124,20 @@ object ApiFactory {
         explicitNulls = false
     }
 
-    fun create(baseUrl: String = DEFAULT_BASE_URL): ZeroAuthApi {
+    fun create(baseUrl: String = DEFAULT_BASE_URL): ZeroAuthApi =
+        retrofit(baseUrl).create(ZeroAuthApi::class.java)
+
+    /**
+     * ADR 0023 three-QR signup ceremony — the phone-side endpoints
+     * the registration scan flow hits. Same OkHttp + Retrofit stack
+     * as [create]; pulled out into a separate factory so callers that
+     * only need registration can avoid the ZeroAuthApi initialisation
+     * cost on first use.
+     */
+    fun createRegistrationApi(baseUrl: String = DEFAULT_BASE_URL): RegistrationApi =
+        retrofit(baseUrl).create(RegistrationApi::class.java)
+
+    private fun retrofit(baseUrl: String): Retrofit {
         val logging = HttpLoggingInterceptor().apply {
             level = if (BuildConfig.DEBUG) {
                 HttpLoggingInterceptor.Level.BODY
@@ -144,7 +157,6 @@ object ApiFactory {
             .client(client)
             .addConverterFactory(json.asConverterFactory("application/json".toMediaType()))
             .build()
-            .create(ZeroAuthApi::class.java)
     }
 
     /**

android/app/src/main/java/dev/zeroauth/android/net/RegistrationApi.kt

@@ -0,0 +1,122 @@
+package dev.zeroauth.android.net
+
+import kotlinx.serialization.SerialName
+import kotlinx.serialization.Serializable
+import kotlinx.serialization.json.JsonElement
+import retrofit2.http.Body
+import retrofit2.http.POST
+
+/**
+ * Retrofit binding for the three-QR end-user signup ceremony
+ * (server-side ADR 0023). The phone holds NO tenant API key — the
+ * QR-supplied code is the bearer credential for each step. See
+ * `util/RegQrPayload.kt` for the parser that turns a scanned QR
+ * string into the right request body for each step.
+ *
+ * Endpoint contract (server side):
+ *
+ *   POST /v1/registrations/pair-device
+ *     body:  { pair_code, fingerprint, attestation_kind? }
+ *     200:   { session_id, device_id, next: {...} }
+ *     404:   { error: "pair_failed" }    — uniform on any failure
+ *
+ *   POST /v1/registrations/submit-commitment
+ *     body:  { enroll_code, did, commitment, attestation_kind? }
+ *     200:   { session_id, next: { step, code, deeplink, challenge_nonce } }
+ *     404:   { error: "enroll_failed" }
+ *
+ *   POST /v1/registrations/complete
+ *     body:  { verify_code, challenge_nonce, proof, public_signals }
+ *     200:   { session_id, tenant_user, device }
+ *     404:   { error: "verify_failed" }
+ *
+ * The phone-side rate-limit on these endpoints is 20 req/min per IP.
+ *
+ * The `proof` field on /complete carries the snarkjs Groth16 envelope
+ * `{ pi_a, pi_b, pi_c, protocol, curve }`. We reuse [Groth16Proof]
+ * from the proof-pairing prover (defined in
+ * `dev.zeroauth.android.prover.MobileProver`) so the same struct
+ * serialises identically into both surfaces.
+ */
+interface RegistrationApi {
+
+    @POST("v1/registrations/pair-device")
+    suspend fun pairDevice(@Body body: PairDeviceRequest): PairDeviceResponse
+
+    @POST("v1/registrations/submit-commitment")
+    suspend fun submitCommitment(@Body body: SubmitCommitmentRequest): SubmitCommitmentResponse
+
+    @POST("v1/registrations/complete")
+    suspend fun complete(@Body body: CompleteRequest): CompleteResponse
+}
+
+// ─── Request shapes ───────────────────────────────────────────────
+
+@Serializable
+data class PairDeviceRequest(
+    @SerialName("pair_code") val pairCode: String,
+    /**
+     * Opaque hardware identifier — server requires >= 16 chars and
+     * stores only its SHA-256. Production phones supply a stable
+     * composition of android_id + installation_uuid + Play Integrity
+     * package signature. See [dev.zeroauth.android.util.DeviceFingerprint]
+     * for the canonical builder.
+     */
+    val fingerprint: String,
+    @SerialName("attestation_kind") val attestationKind: String? = null,
+)
+
+@Serializable
+data class SubmitCommitmentRequest(
+    @SerialName("enroll_code") val enrollCode: String,
+    /** `did:zeroauth:<method>:<hex>` — server validates the shape. */
+    val did: String,
+    /** Hex Poseidon commitment, with or without the leading `0x`. */
+    val commitment: String,
+    @SerialName("attestation_kind") val attestationKind: String? = null,
+)
+
+@Serializable
+data class CompleteRequest(
+    @SerialName("verify_code") val verifyCode: String,
+    @SerialName("challenge_nonce") val challengeNonce: String,
+    /**
+     * snarkjs Groth16 proof envelope `{ pi_a, pi_b, pi_c, ...}`. We
+     * use [JsonElement] so the [dev.zeroauth.android.prover.Groth16Proof]
+     * struct from the prover module can be serialised inline without
+     * a Retrofit-side adapter — the call site does the conversion.
+     */
+    val proof: JsonElement,
+    @SerialName("public_signals") val publicSignals: List<String>,
+)
+
+// ─── Response shapes ──────────────────────────────────────────────
+
+@Serializable
+data class NextStep(
+    val step: String,
+    val code: String,
+    @SerialName("expires_at") val expiresAt: String,
+    val deeplink: String,
+    @SerialName("challenge_nonce") val challengeNonce: String? = null,
+)
+
+@Serializable
+data class PairDeviceResponse(
+    @SerialName("session_id") val sessionId: String,
+    @SerialName("device_id") val deviceId: String? = null,
+    val next: NextStep,
+)
+
+@Serializable
+data class SubmitCommitmentResponse(
+    @SerialName("session_id") val sessionId: String,
+    val next: NextStep,
+)
+
+@Serializable
+data class CompleteResponse(
+    @SerialName("session_id") val sessionId: String,
+    @SerialName("tenant_user") val tenantUser: JsonElement? = null,
+    val device: JsonElement? = null,
+)

android/app/src/main/java/dev/zeroauth/android/ui/SplashScreen.kt

@@ -48,6 +48,7 @@ import dev.zeroauth.android.ui.theme.ZeroAuthTheme
 fun SplashScreen(
     onEnrollNeeded: () -> Unit,
     onAlreadyEnrolled: () -> Unit,
+    onCreateAccount: () -> Unit = {},
 ) {
     // TODO(prover-glue): replace with a real read off KeystoreManager.
     // Today this is always false so the demo always shows the Enroll
@@ -97,25 +98,52 @@ fun SplashScreen(
                 )
             }
 
-            Button(
-                onClick = {
-                    if (navigated) return@Button
-                    navigated = true
-                    if (isEnrolled.value) onAlreadyEnrolled() else onEnrollNeeded()
-                },
-                modifier = Modifier
-                    .fillMaxWidth()
-                    .height(56.dp),
-                colors = ButtonDefaults.buttonColors(
-                    containerColor = MaterialTheme.colorScheme.primary,
-                    contentColor   = MaterialTheme.colorScheme.onPrimary,
-                ),
-                contentPadding = PaddingValues(horizontal = 24.dp),
+            Column(
+                modifier = Modifier.fillMaxWidth(),
+                verticalArrangement = Arrangement.spacedBy(12.dp),
             ) {
-                Text(
-                    text  = stringResource(R.string.splash_cta),
-                    style = MaterialTheme.typography.labelLarge,
-                )
+                Button(
+                    onClick = {
+                        if (navigated) return@Button
+                        navigated = true
+                        if (isEnrolled.value) onAlreadyEnrolled() else onEnrollNeeded()
+                    },
+                    modifier = Modifier
+                        .fillMaxWidth()
+                        .height(56.dp),
+                    colors = ButtonDefaults.buttonColors(
+                        containerColor = MaterialTheme.colorScheme.primary,
+                        contentColor   = MaterialTheme.colorScheme.onPrimary,
+                    ),
+                    contentPadding = PaddingValues(horizontal = 24.dp),
+                ) {
+                    Text(
+                        text  = stringResource(R.string.splash_cta),
+                        style = MaterialTheme.typography.labelLarge,
+                    )
+                }
+                // ADR 0023 three-QR end-user signup. The "Create a new
+                // account" CTA jumps into the registration ceremony,
+                // which is independent of the existing QR-sign-in flow
+                // above (that one's for users who already have an
+                // account and want to authenticate on a desktop).
+                Button(
+                    onClick = {
+                        if (navigated) return@Button
+                        navigated = true
+                        onCreateAccount()
+                    },
+                    modifier = Modifier
+                        .fillMaxWidth()
+                        .height(56.dp),
+                    colors = ButtonDefaults.outlinedButtonColors(),
+                    contentPadding = PaddingValues(horizontal = 24.dp),
+                ) {
+                    Text(
+                        text  = "Create a new account (3-QR signup)",
+                        style = MaterialTheme.typography.labelLarge,
+                    )
+                }
             }
         }
     }