fix(auth): harden OAuth callback flow and add per-app redirect URI co…

[robert-hoffmann]

Summary

This PR improves xurl's OAuth and app configuration flow in a few related areas:

1. fixes local OAuth callback handling when localhost resolves inconsistently across loopback families
2. starts the callback listener before opening the browser to avoid auth-flow races
3. makes OAuth2 auth and refresh more resilient when /2/users/me is unreliable
4. adds per-app redirect_uri support in ~/.xurl, with REDIRECT_URI env override precedence
5. adds CLI commands and docs for viewing and updating app redirect URIs

Problem

I hit a few issues while trying to use OAuth2 locally:

• the redirect URI was documented as http://localhost:8080/callback, but depending on how localhost resolved, the browser callback could miss the listener unless I manually changed it to 127.0.0.1
• the browser could open before the listener was fully ready
• OAuth2 token handling was brittle when /2/users/me did not reliably return username data
• REDIRECT_URI could only be configured via environment variable, even though app credentials and tokens already live in ~/.xurl

Separately, after the local callback flow was fixed, I also confirmed a live X platform issue that produced client-forbidden / client-not-enrolled for reads until the app was moved to the Pay-per-use package and Production environment. I documented that in the repo docs/changelog as platform troubleshooting guidance, not as an xurl code change.

Changes

OAuth callback flow

• derive callback binding from the effective redirect URI
• when the host is localhost, listen on both:
  • 127.0.0.1
  • ::1
• replace http.DefaultServeMux usage with a dedicated local mux
• start the listener before opening the browser

OAuth2 resilience

• preserve OAuth2 tokens even when username discovery via /2/users/me fails
• allow unnamed fallback token storage instead of failing auth outright
• migrate unnamed refreshed tokens to a named token once username lookup succeeds later
• make shortcut commands fall back to --username lookup when /2/users/me is unavailable
• ensure fresh OAuth2 flows still return a proper Bearer header

Redirect URI config

• add per-app redirect_uri support to ~/.xurl
• resolve effective redirect URI with this precedence:
  1. REDIRECT_URI env var
  2. stored app redirect_uri
  3. built-in default
• add CLI support:
  • xurl auth apps redirect-uri get [NAME]
  • xurl auth apps redirect-uri set NAME URI
  • xurl auth apps update NAME --redirect-uri URI
  • optional --redirect-uri on xurl auth apps add

Docs and tests

• update README and SKILL.md for:
  • redirect URI precedence
  • redirect URI management commands
  • localhost dual-stack callback behavior
  • current X platform enrollment troubleshooting
• add/extend tests for:
  • listener config derivation
  • OAuth2 fallback behavior
  • redirect URI precedence
  • per-app redirect URI storage
  • CLI username fallback behavior

Validation

Ran:

go test ./...

[CLAassistant]

All committers have signed the CLA.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[santiagomed]

Thanks for the thorough fix, @robert-hoffmann!