yorker login: browser auth for the CLI

The Yorker CLI now ships with yorker login. Running it opens a consent page at yorkermonitoring.com/cli/auth where you click Authorize. Yorker mints a real API key tied to your team, names it CLI <hostname> so machines are easy to tell apart on the dashboard, and stores it at ~/.yorker/credentials (mode 0600). No more pasting sk_... into your shell on every new laptop.

yorker logout removes the local credential. Pass --revoke to also delete the API key on the server in one step.

Existing API keys still work. If you have YORKER_API_KEY set, the CLI uses it ahead of the persisted credential, so CI scripts and Docker containers stay exactly as they are.

Note (2026-05-09): this entry describes the user-facing surface, which is unchanged. The underlying implementation that shipped on this date was a localhost-callback flow (the consent page POSTed the minted key back to a short-lived listener the CLI bound on 127.0.0.1); it was replaced the following day by a device-code polling flow because Safari blocked the https://yorkermonitoring.com to http://127.0.0.1 cross-origin POST. See the 2026-05-09 entry for the rewrite. yorker login / yorker logout, ~/.yorker/credentials, and key-revocation behavior all stayed identical across the change.