fix(windows): OAuth2 auth flow is broken when opening the browser

[igormf]

On Windows, xurl breaks OAuth2 authentication at the very first step because it opens the browser with a truncated authorize URL, so the PKCE flow cannot start correctly.

Summary

• switch Windows browser launch from cmd /c start to rundll32 url.dll,FileProtocolHandler so the full OAuth2 authorize URL reaches the browser intact
• honor HOME before os.UserHomeDir() in the token store so home-directory based .xurl lookup and migration behave consistently across environments and tests
• add a small regression test around browser command construction so the Windows launch path is verified in unit tests

Why this breaks on Windows

The existing Windows path launches the browser via cmd /c start <url>. OAuth2 authorize URLs contain & separators, and cmd treats those as command separators unless they are quoted/escaped in a shell-specific way. In practice, the browser only receives:

https://x.com/i/oauth2/authorize?client_id=...

That strips redirect_uri, response_type, scope, state, code_challenge, and code_challenge_method, so the PKCE flow fails before the user can authenticate.

Test plan

• go test ./auth ./store
• unit test verifies the Windows browser-launch command keeps the full OAuth2 PKCE URL as a single argument
• on Windows, xurl auth oauth2 <username> opens the browser with the full OAuth2 PKCE URL
• completed OAuth2 authentication successfully on Windows after the browser-launch fix

[CLAassistant]

All committers have signed the CLA.

[igormf]

fixes #57

[santiagomed]

Thanks for the fix, @igormf!