feat: oidc device code login support

[kmendell]

Disclaimer Greptiles Reviews use AI, make sure to check over its work.

To better help train Greptile on our codebase, if the comment is useful and valid Like the comment, if its not helpful or invalid Dislike

Greptile Summary

This PR implements OIDC device code flow authentication for the Arcane CLI, enabling passwordless login through OAuth2 providers. The implementation follows RFC 8628 for OAuth 2.0 Device Authorization Grant.

Key Changes:

• Added device code flow authentication with proper polling logic and error handling
• Implemented OIDC token refresh mechanism using refresh tokens
• Added new CLI commands: auth device-login, auth refresh-oidc, and auth oidc subcommands
• Extended config to store OIDC credentials (refresh_token, oidc_client_id, oidc_client_secret, oidc_token_endpoint)
• Modified password change flow to support OIDC users who may not have a password
• Added new command modules for GitOps and customize functionality
• Included complete OpenAPI specification (13,906 lines in spec.yaml)

Implementation Details:

• The device login flow fetches OIDC configuration from the Arcane server, retrieves the provider's discovery document, initiates device authorization, and polls for token completion
• Properly handles OAuth2 error responses including authorization_pending, slow_down, access_denied, and expired_token
• OIDC access_token is stored as jwt_token in the config for consistency with existing JWT-based authentication
• Removed api_key.clear() from login to support dual authentication methods (API key and JWT/OIDC)
• Scopes automatically include openid and offline_access to ensure proper token refresh capability

Additional Features:

• New GitOps commands for managing repository syncs
• New customize commands for git repository management
• Health check and environment pairing capabilities

Confidence Score: 4/5

• This PR is safe to merge with minimal risk
• The OIDC device code flow implementation follows OAuth2 RFC 8628 standards with proper error handling, token management, and security practices. The code correctly handles polling intervals, timeout scenarios, and error responses. Configuration is properly encrypted on Unix systems (0o600 permissions). The removal of api_key.clear() is intentional to support dual authentication methods. Minor consideration: the large spec.yaml addition (13,906 lines) is typical for OpenAPI specs but should be verified to match the actual API implementation.
• No files require special attention

Important Files Changed

Filename	Overview
src/commands/auth.rs	Added OIDC device code flow authentication with token refresh, polling logic, and proper error handling. Removed api_key.clear() from login to support dual authentication methods.
src/types.rs	Added OIDC type definitions including discovery, device authorization, and token response structs. Changed current_password to Option<String> to support OIDC users without passwords. Added GitOps and Customize module types.
src/core/config.rs	Added OIDC configuration fields (refresh_token, oidc_client_id, oidc_client_secret, oidc_token_endpoint) to store OIDC authentication state.
src/core/endpoints.rs	Added OIDC endpoint constants and GitOps/customize endpoint functions. Removed deprecated environment_sync_registries endpoint.
src/commands/customize.rs	New command module for managing git repositories, categories, and search functionality in the customize interface.
src/commands/gitops.rs	New command module for managing GitOps syncs including import, status, file listing, and sync execution operations.

[kmendell]

@greptileai