v1.7.0

pollen v1.7.0

The minor that completes pollen's OAuth roadmap and removes
the long-standing friction of editing settings.json by hand.

Two features, both reserved against scope-out items that
have been deferred since v1.5–v1.6.

OAuth Device Code (RFC 8628). pollen's previous OAuth
support — Client Credentials (v1.5.0) and Authorization
Code with PKCE (v1.6.0) — covered confidential machine-to-
machine clients and interactive desktop browsers. Neither
quite fits the environment pollen actually lives in:
SSH sessions on a remote server, WSL where the Linux
"open browser" command may not work, CI runners with no
display, containers. Device Authorization Grant is the
canonical OAuth flow for these cases — pollen never tries
to open a browser itself. It calls the IdP's device
authorization endpoint, displays a short user_code + URL,
and polls the token endpoint while the user completes the
authorization step on whatever device they already have
logged in (phone, laptop). When the user approves, pollen
gets the access token; the standard auto-refresh-on-send
machinery takes it from there.

The Auth panel gains a sixth tab, "OAuth DC", with five
fields (Device URL, Token URL, Client ID, Client Secret,
Scope) plus the action row. g starts the flow; Esc
cancels mid-flight. The user_code and verification URL
get prominent panel real estate during polling — three
dedicated lines because that's the user's transcription
target. RFC 8628 §3.5's state machine is honoured
verbatim: authorization_pending continues at the current
interval, slow_down adds 5 seconds, access_denied and
expired_token end the flow. The 30-minute total timeout
matches what typical IdPs allow for the verification
window.

Tokens land in ~/.config/pollen/oauth_tokens.json the
same way CC and AC tokens do (mode 0600, keyed by
URL+ClientID+Grant). The d-on-action-row "forget" key
works identically.

In-TUI Settings overlay (Ctrl+,). Until v1.7 the only
way to change pollen's behaviour beyond toggling TLS
verification or switching environments was to quit, edit
settings.json by hand, and restart. The new overlay
exposes all 17 settings keys as editable rows: bools
toggle on Enter, int/float/string fields drop into an
editor that validates against the same ranges Load()
clamps. Each commit lands in settings.json and is
applied to the matching runtime global immediately —
HTTP request timeout, response size cap, history limit,
intruder concurrency / delay / max requests, proxy URL,
disable-redirects, the OAuth-persist-tokens flag, and so
on. Two fields (CA cert file, Enable cookies) carry a
"restart" badge: they're consumed only at startup so the
change is saved but takes effect next launch.

Navigation matches the v1.6.1 accordion help — ↑/↓ or
j/k, g/G for first/last, PgUp/Dn to hop five, Esc or q to
close. Help section is updated so Ctrl+, is discoverable.

Added:

• OAuth DC auth type and Device Authorization Grant
  implementation in internal/oauth/devicecode.go,
  exposed via the AuthOAuthDC panel
• Token persistence for device_code tokens (shares the
  v1.6.4 oauth_tokens.json layer)
• In-TUI Settings overlay covering all 17 settings.json
  keys, opened with Ctrl+,
• Three new intruder setter methods so settings changes
  flow into the Intruder config defaults at runtime
• Help section entries advertising both new features

Notes:

• v1.x SemVer-frozen surface gains the AuthOAuthDC value
  and the Ctrl+, binding. Existing configuration files
  load without modification
• The v1.6.2-era openBrowser-failure recovery item is
  closed by the Device Code addition: in any environment
  where browser launch is unreliable, Device Code is the
  right grant to pick. The plain Authorization Code path
  is unchanged for environments where browser launch
  works
• CA cert file and Enable cookies still require restart;
  their live-reload would require deeper transport-layer
  surgery that is intentionally out of scope

See CHANGELOG.md for the full list.