Skip browser flow only when WSL has no Windows-browser launcher

On WSL the interactive browser flow only succeeds when:
  1. A Windows-side launcher is available (wslu's `wslview` is the
     canonical bridge), and
  2. WSL2 localhost forwarding can route the OAuth redirect back into
     the WSL network namespace (default NAT mode handles this).

When wslview is present the flow works end-to-end and benefits from
Windows session SSO (which is what gets past Conditional Access).
When wslview is absent, xdg-open silently does nothing and
InteractiveBrowserCredential.Authenticate() blocks forever waiting for
a redirect that will never arrive — in that specific case we skip
straight to device code so the user at least sees a code instead of
an indefinite hang.

Env var overrides:
  DARC_FORCE_BROWSER_AUTH=1  always attempt browser flow
  DARC_USE_DEVICE_CODE=1     always skip browser flow

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: lewing

src/Maestro/Maestro.Common/AppCredentials/CachedInteractiveBrowserCredential.cs

@@ -58,6 +58,77 @@ public CachedInteractiveBrowserCredential(
                 return Task.CompletedTask;
             },
         });
+
+        // On WSL the interactive browser flow only succeeds when a Windows-side browser
+        // launcher (wslu's `wslview`) is installed AND WSL2 localhost forwarding can route
+        // the OAuth redirect back into the WSL network namespace. With wslu present that
+        // path works on default NAT-mode WSL2. Without wslu, xdg-open silently does nothing
+        // and `_browserCredential.Authenticate()` blocks forever waiting for a redirect
+        // that will never arrive. In that specific case, skip straight to device code so
+        // the user at least sees a code rather than an indefinite hang.
+        if (IsWslWithoutBrowserLauncher())
+        {
+            Interlocked.Exchange(ref _isDeviceCodeFallback, 1);
+        }
+    }
+
+    private static bool IsWslWithoutBrowserLauncher()
+    {
+        // Opt-out: user knows their setup supports browser auth even if we don't detect it.
+        if (string.Equals(Environment.GetEnvironmentVariable("DARC_FORCE_BROWSER_AUTH"), "1", StringComparison.Ordinal))
+        {
+            return false;
+        }
+
+        // Opt-in: user explicitly wants device code regardless of environment.
+        if (string.Equals(Environment.GetEnvironmentVariable("DARC_USE_DEVICE_CODE"), "1", StringComparison.Ordinal))
+        {
+            return true;
+        }
+
+        bool isWsl = !string.IsNullOrEmpty(Environment.GetEnvironmentVariable("WSL_DISTRO_NAME"))
+            || !string.IsNullOrEmpty(Environment.GetEnvironmentVariable("WSL_INTEROP"));
+        if (!isWsl)
+        {
+            return false;
+        }
+
+        // On WSL: only skip browser flow if no usable launcher is on PATH.
+        // wslview (from the wslu package) is the canonical Windows-browser bridge.
+        // BROWSER env var override is also respected by Azure.Identity's launcher.
+        if (!string.IsNullOrEmpty(Environment.GetEnvironmentVariable("BROWSER")))
+        {
+            return false;
+        }
+        return !ExistsOnPath("wslview");
+    }
+
+    private static bool ExistsOnPath(string executable)
+    {
+        var path = Environment.GetEnvironmentVariable("PATH");
+        if (string.IsNullOrEmpty(path))
+        {
+            return false;
+        }
+        foreach (var dir in path.Split(Path.PathSeparator))
+        {
+            if (string.IsNullOrEmpty(dir))
+            {
+                continue;
+            }
+            try
+            {
+                if (File.Exists(Path.Combine(dir, executable)))
+                {
+                    return true;
+                }
+            }
+            catch
+            {
+                // Ignore inaccessible PATH entries.
+            }
+        }
+        return false;
     }
 
     public override AccessToken GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)