Add OAuth login flow for CircleCI authentication

[hanabel1]

Summary

• Adds chunk auth login command that authenticates with CircleCI via OAuth 2.0 Authorization Code + PKCE
  

• Opens the user's browser to CircleCI's consent page, captures the callback on a loopback listener, and
  exchanges the code for a 90-day PAT

• Updates ensureCircleCIClient() to offer OAuth login as the default when no token is found, with manual
  PAT entry as fallback

• Existing chunk auth set circleci flow is unchanged

  Details

  • New internal/oauth/ package: PKCE crypto, loopback HTTP server, browser opening, token exchange, device
    ID persistence
  • --no-browser flag for SSH/headless environments (prints URL instead)
  • --signup flag routes unauthenticated users to signup instead of login
  • Device ID (UUID v4) generated once and stored at ~/.local/state/chunk/device_id for token rotation
  • No new external dependencies — uses stdlib crypto, net, os/exec
  • Requires chunk-cli client registration in authentication-service (Waiting for PR to be merged!!!)

  Test plan

  • Unit tests for PKCE, state, device ID, callback server, token exchange
  • All existing tests pass (including acceptance)
  • Lint clean
  • Manual: chunk auth login --no-browser prints correct authorize URL
  • Manual: full browser flow end-to-end (blocked on auth-service client registration)

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com