feat(cli): add device code auth flow for remote/headless servers

[roomote-v0]

Related GitHub Issue

Closes: #11925

Description

This PR attempts to address Issue #11925 by adding a device code authentication flow to the CLI, similar to how GitHub CLI handles authentication on remote/headless servers.

The problem: The current roo auth login command starts a local HTTP server on 127.0.0.1 and expects a browser redirect back to localhost. This does not work on remote or cloud servers where the user's browser is on a different machine.

The solution: A new --device-code flag on roo auth login that implements a device code flow:

1. User runs roo auth login --device-code
2. CLI requests a device code from AUTH_BASE_URL/api/cli/device-code
3. CLI displays a verification URL and user code
4. User opens the URL on any device with a browser and enters the code
5. CLI polls AUTH_BASE_URL/api/cli/device-code/poll until auth completes
6. Token is saved locally

Key implementation details:

• Added useDeviceCode option to LoginOptions interface
• Refactored login() to route between browser callback (default) and device code flows
• New exported functions: deviceCodeLogin(), pollForToken(), httpPost()
• Added --device-code CLI flag via Commander
• Backward compatible: existing behavior unchanged without the flag

Note: This PR implements the client-side (CLI) portion. The server-side endpoints (POST /api/cli/device-code and POST /api/cli/device-code/poll) need to be implemented on the auth server. The expected API contract is documented in the type interfaces.

Feedback and guidance are welcome.

Test Procedure

• 8 new unit tests in apps/cli/src/commands/auth/__tests__/login.test.ts
• Tests cover: routing logic, poll timeout behavior, HTTP error handling, verbose logging
• All 515 existing tests continue to pass
• Run: cd apps/cli && npx vitest run src/commands/auth/__tests__/login.test.ts

Pre-Submission Checklist

• Issue Linked: This PR is linked to an approved GitHub Issue.
• Scope: Changes are focused on the linked issue.
• Self-Review: Performed a self-review of the code.
• Testing: New tests added to cover the changes.
• Documentation Impact: CLI help text updated; user docs may need updating for the new flag.
• Contribution Guidelines: Read and agree to the Contributor Guidelines.

Documentation Updates

• Yes, documentation updates are required. The CLI docs should mention the --device-code flag for remote server usage.

Additional Notes

The server-side device code endpoints follow the standard OAuth 2.0 Device Authorization Grant pattern (RFC 8628). The expected response shapes are:

POST /api/cli/device-code returns:

{ "device_code": "...", "user_code": "ABCD-1234", "verification_uri": "https://...", "expires_in": 900, "interval": 5 }

POST /api/cli/device-code/poll with { "device_code": "..." } returns:

{ "status": "pending" | "complete" | "expired", "token": "..." }

Interactively review PR in Roo Code Cloud