feat(auth): surface request-access URL for users without accounts

Add REQUEST_ACCESS_URL constant and display it at every auth dead-end:
- sf provar auth login: catch 401 from exchange and show request URL
- sf provar auth status: "no key configured" block includes request URL
- MCP ONBOARDING_MESSAGE and AUTH_WARNING include request URL
- QualityHubAuthError from /auth/exchange includes request URL
- docs/mcp.md: "Don't have an account?" in Authentication section
- README.md: "Get Access" badge + inline link in MCP section
- messages/sf.provar.auth.login.md and status.md updated

Note: provar-mcp-public-docs.md and university-of-provar-mcp-course.md
are maintained separately — flag for manual update.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mrdailey99

README.md

@@ -3,6 +3,7 @@
 [![Version](https://img.shields.io/npm/v/@provartesting/provardx-cli.svg)](https://npmjs.org/package/@provartesting/provardx-cli)
 [![Downloads/week](https://img.shields.io/npm/dw/@provartesting/provardx-cli.svg)](https://npmjs.org/package/@provartesting/provardx-cli)
 [![License](https://img.shields.io/npm/l/@provartesting/provardx-cli.svg)](https://github.com/ProvarTesting/provardx-cli/blob/main/LICENSE.md)
+[![Get Access](https://img.shields.io/badge/Quality%20Hub-Get%20Access-blue)](https://aqqlrlhga7.execute-api.us-east-1.amazonaws.com/dev/auth/request-access)
 
 # What is the ProvarDX CLI?
 
@@ -32,7 +33,7 @@ $ sf plugins uninstall @provartesting/provardx-cli
 
 The Provar DX CLI includes a built-in **Model Context Protocol (MCP) server** that connects AI assistants (Claude Desktop, Claude Code, Cursor) directly to your Provar project. Once connected, an AI agent can inspect your project structure, generate Page Objects and test cases, validate every level of the test hierarchy with quality scores, and work with NitroX (Hybrid Model) component page objects for LWC, Screen Flow, Industry Components, Experience Cloud, and HTML5.
 
-Validation runs in two modes: **local only** (structural rules, no key required) or **Quality Hub API** (170+ rules, quality scoring — requires a `pv_k_` API key). Run `sf provar auth login` to authenticate and unlock full validation.
+Validation runs in two modes: **local only** (structural rules, no key required) or **Quality Hub API** (170+ rules, quality scoring — requires a `pv_k_` API key). Run `sf provar auth login` to authenticate and unlock full validation. Don't have an account? **[Request access](https://aqqlrlhga7.execute-api.us-east-1.amazonaws.com/dev/auth/request-access)**.
 
 ```sh
 sf provar mcp start --allowed-paths /path/to/your/provar/project
@@ -111,6 +112,9 @@ DESCRIPTION
   ~/.provar/credentials.json, and store it as the PROVAR_API_KEY environment variable
   or secret in your pipeline. Rotate the secret every ~90 days when the key expires.
 
+  Don't have an account? Request access at:
+  https://aqqlrlhga7.execute-api.us-east-1.amazonaws.com/dev/auth/request-access
+
 EXAMPLES
   Log in interactively:
 

docs/mcp.md

@@ -161,6 +161,9 @@ When `validation_source` is `local_fallback`, a `validation_warning` field is al
 
 ### Configuring an API key
 
+**Don't have an account?** Request access at the self-service form:  
+<https://aqqlrlhga7.execute-api.us-east-1.amazonaws.com/dev/auth/request-access>
+
 **Interactive login (recommended):**
 
 ```sh

messages/sf.provar.auth.login.md

@@ -13,6 +13,9 @@ exchange and are then discarded — only the pv*k* API key is written to disk.
 
 Run 'sf provar auth status' after login to confirm the key is configured correctly.
 
+Don't have an account? Request access at:
+https://aqqlrlhga7.execute-api.us-east-1.amazonaws.com/dev/auth/request-access
+
 # flags.url.summary
 
 Override the Quality Hub API base URL (for testing against a non-production environment).

messages/sf.provar.auth.status.md

@@ -6,6 +6,8 @@ Reports where the active API key comes from (environment variable or stored file
 shows the key prefix and when it was set, and states whether validation will use the
 Quality Hub API or local rules only. The full key is never printed.
 
+If no key is configured, guidance is shown for logging in or requesting access.
+
 # examples
 - Check auth status:
   <%= config.bin %> <%= command.id %>

src/commands/provar/auth/login.ts

@@ -10,7 +10,12 @@ import { Flags, SfCommand } from '@salesforce/sf-plugins-core';
 import { Messages } from '@provartesting/provardx-plugins-utils';
 import { writeCredentials } from '../../../services/auth/credentials.js';
 import { loginFlowClient } from '../../../services/auth/loginFlow.js';
-import { qualityHubClient, getQualityHubBaseUrl } from '../../../services/qualityHub/client.js';
+import {
+  qualityHubClient,
+  getQualityHubBaseUrl,
+  QualityHubAuthError,
+  REQUEST_ACCESS_URL,
+} from '../../../services/qualityHub/client.js';
 
 Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
 const messages = Messages.loadMessages('@provartesting/provardx-cli', 'sf.provar.auth.login');
@@ -78,7 +83,18 @@ export default class SfProvarAuthLogin extends SfCommand<void> {
 
     // ── Step 6: Exchange Cognito access token for pv_k_ key ─────────────────
     // Cognito tokens are held in memory only — discarded after this call.
-    const keyData = await qualityHubClient.exchangeTokenForKey(tokens.access_token, baseUrl);
+    let keyData;
+    try {
+      keyData = await qualityHubClient.exchangeTokenForKey(tokens.access_token, baseUrl);
+    } catch (err) {
+      if (err instanceof QualityHubAuthError) {
+        this.error(
+          `No Provar MCP account found for this login.\nRequest access at: ${REQUEST_ACCESS_URL}`,
+          { exit: 1 }
+        );
+      }
+      throw err;
+    }
 
     // ── Step 7: Persist the pv_k_ key ──────────────────────────────────────
     writeCredentials(keyData.api_key, keyData.prefix, 'cognito', {

src/commands/provar/auth/status.ts

@@ -9,7 +9,7 @@
 import { SfCommand } from '@salesforce/sf-plugins-core';
 import { Messages } from '@provartesting/provardx-plugins-utils';
 import { readStoredCredentials } from '../../../services/auth/credentials.js';
-import { qualityHubClient, getQualityHubBaseUrl } from '../../../services/qualityHub/client.js';
+import { qualityHubClient, getQualityHubBaseUrl, REQUEST_ACCESS_URL } from '../../../services/qualityHub/client.js';
 
 Messages.importMessagesDirectoryFromMetaUrl(import.meta.url);
 const messages = Messages.loadMessages('@provartesting/provardx-cli', 'sf.provar.auth.status');
@@ -82,6 +82,8 @@ export default class SfProvarAuthStatus extends SfCommand<void> {
     this.log('');
     this.log('For CI/CD: set the PROVAR_API_KEY environment variable.');
     this.log('');
+    this.log(`No account? Request access at: ${REQUEST_ACCESS_URL}`);
+    this.log('');
     this.log('Validation mode: local only (structural rules, no quality scoring)');
   }
 }

src/mcp/tools/testCaseValidate.ts

@@ -21,17 +21,19 @@ import {
   getQualityHubBaseUrl,
   QualityHubAuthError,
   QualityHubRateLimitError,
+  REQUEST_ACCESS_URL,
 } from '../../services/qualityHub/client.js';
 import { runBestPractices } from './bestPracticesEngine.js';
 
 const ONBOARDING_MESSAGE =
   'Quality Hub validation unavailable — running local validation only (structural rules, no quality scoring).\n' +
   'To enable Quality Hub (170 rules): run sf provar auth login\n' +
-  'For CI/CD: set the PROVAR_API_KEY environment variable.';
+  'For CI/CD: set the PROVAR_API_KEY environment variable.\n' +
+  `No account? Request access at: ${REQUEST_ACCESS_URL}`;
 
 const AUTH_WARNING =
   'Quality Hub API key is invalid or expired. Running local validation only.\n' +
-  'Run sf provar auth login to get a new key.';
+  `Run sf provar auth login to get a new key, or request access at: ${REQUEST_ACCESS_URL}`;
 
 const RATE_LIMIT_WARNING = 'Quality Hub API rate limit reached. Running local validation only. Try again shortly.';
 

src/services/qualityHub/client.ts

@@ -155,6 +155,13 @@ export async function validateTestCaseViaApi(
  */
 const DEFAULT_QUALITY_HUB_URL = 'https://aqqlrlhga7.execute-api.us-east-1.amazonaws.com/dev';
 
+/**
+ * Self-service access request page for users who do not yet have a Provar MCP account.
+ * Public HTML — no API key or Cognito token required.
+ * Update when staging/prod stages are deployed.
+ */
+export const REQUEST_ACCESS_URL = `${DEFAULT_QUALITY_HUB_URL}/auth/request-access`;
+
 export function getQualityHubBaseUrl(): string {
   return process.env.PROVAR_QUALITY_HUB_URL ?? DEFAULT_QUALITY_HUB_URL;
 }
@@ -191,7 +198,9 @@ export async function exchangeTokenForKey(cognitoAccessToken: string, baseUrl: s
     body
   );
   if (status === 401)
-    throw new QualityHubAuthError('Account not found or no active subscription. Check your Provar licence.');
+    throw new QualityHubAuthError(
+      `Account not found or no active subscription.\nRequest access at: ${REQUEST_ACCESS_URL}`
+    );
   if (!isOk(status)) throw new Error(`Auth exchange failed (${status}): ${responseBody}`);
   return JSON.parse(responseBody) as AuthExchangeResponse;
 }