Add WebAuthn enrollment CLI command

[helixclaw]

Summary

Add a 2kc webauthn enroll CLI command that guides server operators through registering a passkey/biometric credential with the server.

Context

Before WebAuthn can be used for approvals, the operator must register at least one credential. This is a one-time setup step done via the CLI (which opens a browser for the WebAuthn ceremony).

Acceptance Criteria

• 2kc webauthn enroll command in src/cli/webauthn.ts:
  • Requests registration options from server (POST /api/webauthn/register/options)
  • Opens a local browser to a temporary registration page (or uses a terminal-based flow)
  • Alternative: prints a URL for the operator to open manually
  • Completes registration ceremony and sends response to server
  • Prints: "Passkey enrolled successfully. You can now use WebAuthn for approvals."
• 2kc webauthn list — lists registered credentials (ID, creation date, last used)
• 2kc webauthn remove <credentialId> — removes a credential (with confirmation)
• Requires server auth (session token or bearer) to access enrollment endpoints
• Works in client-server mode only (error if standalone mode)

Dependencies

• Add WebAuthn server endpoints for registration and assertion #66 (WebAuthn server endpoints)

Scope Boundaries

• Does NOT include the approval flow (separate issue)
• Enrollment is operator-facing, not end-user-facing