Adds an experimental --experimental-device flag to wrangler login that uses the OAuth 2.0 Device Authorization Grant (RFC 8628) instead of the existing localhost callback flow.

Replaces #13130 with an industry standard approach.
Fixes #13117
Fixes #10935

What this changes

wrangler login --experimental-device runs a new flow that:

• requests a device code + user code from the OAuth device authorization endpoint,
• prints the verification URL and user code to the terminal,
• attempts to open the verification URL in the user's default browser,
• prints a QR code of the verification URL so the user can scan it with their phone,
• polls the token endpoint with grant_type=urn:ietf:params:oauth:grant-type:device_code until the user approves the request, denies it, or the device code expires.

This is useful in containers, remote SSH sessions, Codespaces, and any other environment where localhost:8976 is unreachable from the user's browser.

Where the code lives

Since this PR was first opened, wrangler's OAuth machinery was extracted into the @cloudflare/workers-auth package (#14185). This PR is rebased onto that structure:

• The device-flow primitives live in @cloudflare/workers-auth, exposed through the existing createOAuthFlow(...) API as a new device login option. Other Cloudflare CLIs that consume the package get the flow for free.
• wrangler wires up the --experimental-device flag and injects its QR renderer + client config into the flow context.
• The QR renderer is injected via the flow context (renderDeviceQrCode), mirroring the existing generateAuthUrl / generateRandomState test-injection seam, so the device-flow snapshot tests stay deterministic.

Behaviour details

• Initial poll is sent immediately with no wait, so logins that complete before the QR finishes rendering feel instantaneous.
• Subsequent polls respect the server's interval field (RFC 8628 §3.5), with a minimum floor of 1s. If the server sends slow_down, we add +5s as required by the RFC.
• Wrangler-side hard cap of 5 minutes on top of the server's expires_in, to limit the abuse window if a user code is ever leaked (RFC 8628 §5.4).
• --callback-host and --callback-port are rejected (hard error) when --experimental-device is set — this flow has no local callback server.
• offline_access scope is appended unconditionally, same as the auth-code flow, so refresh tokens still work end-to-end.
• Polling does not spam stderr: HTTP 400 with authorization_pending / slow_down is the expected RFC 8628 §3.5 control mechanism, so the poll path logs non-2xx responses at debug level only — a normal pending login produces no error output.
• The device authorization endpoint is not environment-overridable; it derives from the same auth domain as the token endpoint (production vs. staging), so the device-auth and token endpoints can never desync.

Why "experimental"

This is gated behind --experimental-device so we can iterate on UX (polling cadence, timeout messaging, QR rendering, etc.) before committing to the surface. There is no auto-detection or fallback from the existing flow — users have to opt in explicitly.

Dependencies

This is the client-side (Wrangler) portion. It is safe to land independently because the flag is experimental and opt-in, but the end-to-end flow only works in production once the supporting server-side work ships:

• AUTHN-168 — upgrade internal OAuth service ✅
• AUTHN-240 — upgrade configuration tooling ✅
• AUTHN-217 / AUTHN-218 / AUTHN-216 — add the necessary backend routes and web pages ⏳

• Tests
  • Tests included/updated (device-flow tests in packages/wrangler/src/__tests__/user.test.ts; flow primitives in @cloudflare/workers-auth)
• Public documentation
  • Cloudflare docs PR(s): [wrangler] Document wrangler login --experimental-device cloudflare-docs#31091