feat: browser-based gradient login (#251)

[DerDennisOP]

Implements the OAuth 2.0 Device Authorization Grant for gradient login so the CLI no longer needs to handle a password directly: the user confirms the session in their browser instead.

Closes #251.

Summary

• gradient login (no args) starts a device flow: prints the verification URL + a short confirmation code, opens the browser, then polls until the user authorizes from /account/cli-authorize.
• gradient login --username … --password … keeps the current scriptable basic-login path; --no-browser skips the browser open for headless/SSH use.
• New endpoints POST /auth/cli/{start,poll,authorize,deny} and GET /auth/cli/info; pending rows expire after 10 min, the user_code uses an ambiguity-free alphabet, and the device_code is stored hashed.
• New frontend route /account/cli-authorize reads ?code=, prompts the user to confirm origin IP / user-agent, and exposes Authorize / Deny buttons. The login page now honors ?next= so the redirect back from /account/login lands the user on the authorize page.

Test plan

• CI runs the new cargo test -p web --test cli_device_authorization suite (start → poll pending/expired/denied/authorized state machine, auth-required guard on /authorize, deny path).
• Manual: gradient config server …, gradient login opens the browser, code matches, click Authorize, terminal logs in.
• Manual: gradient login --no-browser prints the URL and polls successfully when opened on another device.
• Manual: gradient login --username X --password Y still works (backwards compat).
• Manual: cancelling in the browser (Deny) makes the CLI exit non-zero.