turbo

4efe1780 - fix: Address PR review feedback for device flow auth

fix: Address PR review feedback for device flow auth - Display user_code during device flow per RFC 8628 §3.3 MUST requirement - Loop listener.accept in login/SSO redirects to handle browser preflight and favicon requests instead of consuming the single-shot listener - Deduplicate is_vercel into auth/mod.rs - Add subdomain validation test proving ends_with check is correct - Add CSPRNG note on rand::random() usage for CSRF state generation