feat: Add device auth login

[lox]

Problem

bk auth login currently assumes a browser can be opened on the same machine that is running the CLI and that a localhost callback can be reached. That is awkward or impossible in common headless cases, especially SSH sessions, remote development boxes, and other environments where the user can authorize in a separate browser but cannot rely on loopback browser OAuth.

Buildkite now has OAuth device authorization endpoints, so the CLI should be able to start an RFC-style device flow and poll for the resulting access token without opening a browser callback listener.

What changed

• Added bk auth login --device.
• Added OAuth device authorization request and device-code token polling helpers.
• Reused the existing OAuth token completion path so browser login and device login both resolve the authorized organization, store the access token, store refresh tokens when present, and select the organization in config.
• Rejects incompatible --device --token and --device --org combinations; device flow chooses the organization on the authorization page.
• Added request-level tests for device authorization, invalid_scope, authorization_pending, and slow_down polling behavior.
• Added a command-level device-login test that exercises device authorization, token exchange, organization lookup, keyring storage, refresh-token storage, and config selection.

Validation

• mise exec -- go test ./pkg/oauth ./cmd/auth -count=1
• mise exec -- go test ./cmd/preflight -run 'TestPreflightCmd_Run/returns_user_aborted_when_canceled_during_snapshot_push' -count=1
• mise exec -- go test ./internal/preflight -run 'TestSnapshotContext_CancelsPush' -count=1
• mise exec -- go test ./...
• mise exec -- golangci-lint run --verbose --timeout 3m
• mise run build
• ./dist/bk auth login --help