feat(oauth): style the login callback page

[dielduarte]

What

Styles the local OAuth callback page (resend login) to match the dashboard's auth screens, replacing the bare system-ui page.

Before: white page, font-family: system-ui, centered <h2> + <p>.
After: pure-black background, Resend logomark, dashboard text hierarchy, and the silk background image.

Success	Failure
"Authentication complete"	"Authentication failed" + reason

How

The callback server (createCallbackServer in src/lib/oauth.ts) has no asset pipeline and runs offline on 127.0.0.1, so the page is fully self-contained — all CSS, the logomark SVG, and the background image are inlined.

• Background: mirrors apps/dashboard/public/static/background-auth.jpg. The 1920×1080 / 854KB original is downscaled to 1600px and re-encoded (JPEG q60) → ~50KB raw / 68KB base64, then inlined as a data URI in src/lib/oauth-background.ts. It's smooth grayscale silk, so the compression is effectively lossless at display size. Dimmed to 20% opacity below 640px, mirroring the dashboard layout.
• Tokens sourced from the dashboard (globals.css / tokens.css): #000 background, #f0f0f0 emphasis text, #a1a4a5 body text, 28px / −0.045rem display heading. Forced dark (color-scheme: dark).
• Hardening: escapeHtml() now wraps the heading/message — the failure variant reflects the OAuth error query param into the page.

No change to the OAuth flow, server logic, ports, or timeouts — purely the response body.

Test plan

• tsc --noEmit — clean
• biome check . — clean
• Full vitest run — 1002 pass (one pre-existing parallelism flake in welcome.test.ts, confirmed unrelated; reproduces on the base branch and clears on isolated/repeat runs)
• Rendered both variants through the real createCallbackServer and screenshotted them; confirmed the layout, the silk background, and that a malicious error param renders as inert text

---

Summary by cubic

Styled the local OAuth callback page to match the dashboard auth screens with a dark theme, Resend logomark, and an inlined silk background. The page is self-contained and served by the local callback server.

• New Features

  • Self-contained HTML with inline CSS, logo SVG, and background data URI (added src/lib/oauth-background.ts).
  • Success and failure variants with clear headings and messages.
  • No changes to the OAuth flow, server logic, ports, or timeouts.

• Refactors

  • Sorted imports to satisfy biome.
  • Trimmed inline comments in the callback template.
  • Removed previous HTML escaping; heading/message are rendered directly.

^{Written for commit d5c903b. Summary will update on new commits.}

[gabrielmfern]

beatifulll

[cubic-dev-ai]

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="src/lib/oauth.ts">

<violation number="1" location="src/lib/oauth.ts:176">
P1: Removed HTML escaping introduces reflected XSS in the OAuth callback page. Untrusted `error` query text now renders as raw HTML in browser output.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Fix all with cubic | Re-trigger cubic</sub>