Problem

`anvil auth login` today: prompts for server URL, prompts for PAT (interactive password input), validates against /health, saves. The PAT step requires the user to manually generate one in the web UI (which doesn’t even exist yet — see `fangorn/anvil` parallel tickets), copy it, and paste.

`gh auth login` is the bar: server gives a code, CLI opens browser, user clicks “Authorize” on the server, CLI polls and saves the token. Zero copy-paste.

Proposal

Implement client side of the OAuth 2.0 device authorization grant (RFC 8628):

1. `POST /api/v1/oauth/device/code` to start.
2. Show `user_code` in the terminal, attempt to open the verification URL in the browser via `xdg-open` / `open` / `start` (with fallback to print-and-prompt).
3. Poll `POST /api/v1/oauth/token` at the server-specified interval until success / denied / timeout.
4. Save the resulting token via the existing `Config` flow.

Keep the current PAT-paste flow available behind a `–token ` flag for scripts and CI environments.

Acceptance criteria

• `anvil auth login` (no args) uses device flow if the server advertises support (HEAD/OPTIONS check or a feature flag in /health)
• Browser auto-opens; falls back to printing the URL if the user is on a headless box
• Polls with respect for server-specified `interval` (no busy-loop)
• Honors `slow_down` and `authorization_pending` per RFC 8628
• Times out cleanly with a clear error
• `–token` flag preserved for scripts
• Tests: clap parsing + a wiremock-backed integration test for the polling loop

Status

Blocked on `fangorn/anvil` device-flow endpoints. Until those land, the immediate UX improvement available is: open the browser to /users/settings/tokens automatically, prompt for paste back. That’s a separate, smaller ticket.

Origin

User feedback: “anvil auth login sucks. also there’s no place in anvil to generate a PAT”.