feat: Add device auth login

[lox]

Problem

bk auth login currently assumes a browser can be opened on the same machine that is running the CLI and that a localhost callback can be reached. That is awkward or impossible in common headless cases, especially SSH sessions, remote development boxes, and other environments where the user can authorize in a separate browser but cannot rely on loopback browser OAuth.

Buildkite now has OAuth device authorization endpoints, so the CLI should be able to start a device flow and poll for the resulting access token without opening a browser callback listener.

Impact

Users can run bk auth login --device on a headless or remote machine, authorize from another browser, and have the CLI persist the resulting access and refresh tokens through the same OAuth storage path as browser login. Existing browser login and --token login behavior is preserved.

What Changed

• Added bk auth login --device.
• Added OAuth device authorization request and device-code token polling helpers.
• Reused the existing OAuth persistence path so browser login and device login both resolve the authorized organization, store the access token, store refresh tokens when present, and select the organization in config.
• Only advertises automatic refresh when refresh-token storage actually succeeds.
• Rejects incompatible --device --token and --device --org combinations; device flow chooses the organization on the authorization page.
• Added request-level tests for device authorization, invalid_scope, authorization_pending, and slow_down polling behavior.
• Added a command-level device-login test that exercises device authorization, token exchange, organization lookup, keyring storage, refresh-token storage, and config selection.
• Updated the pinned Go toolchain to 1.26.4 and removed unused go-buildkite/v5 module metadata inherited from the rebase so the current tidy and govulncheck CI gates pass.