feat: xurl mcp + token, headless OAuth2, auth/UX hardening (v1.2.0)

[santiagomed]

feat: add xurl mcp bridge + xurl token, headless OAuth2, and auth/UX hardening

New commands

• xurl mcp [URL]: a stdio<->Streamable-HTTP MCP bridge for the hosted X API MCP
  server. Injects an auto-refreshed OAuth2 Bearer token, maintains the MCP
  session id, handles JSON/SSE/202 responses, processes requests in order off
  the read loop while dispatching notifications concurrently, synthesizes a
  JSON-RPC error for any request it cannot answer (so a strict client never
  hangs), and shuts down cleanly on SIGINT/EOF.
• xurl token: print a valid (refreshed, persisted) OAuth2 access token for the
  active app; never opens a browser, so it is scriptable.

Auth

• xurl auth oauth2 --headless: authenticate on remote/headless machines with no
  reachable localhost callback -- print the authorize URL, paste the redirect
  URL/code back (also via stdin).
• OAuth2 token exchange/refresh now sets the client-auth style explicitly (Basic
  header for confidential clients, body for public), fixing
  unauthorized_client: Missing valid authorization header against X.
• auth app -> auth app-only (aliases: app, bearer); token is positional or
  read from stdin (-); auth clear --app-only.

Command surface

• Group subcommands in --help; add xurl posts USERNAME; support xurl --version; -d implies POST (curl-like).

Fixes

• media upload: corrected verbose/wait/trace argument order and added media-type
  auto-detection (erroring on unsupported types instead of guessing).
• Surface real transport/auth errors instead of printing null; fail fast on
  missing credentials; JSON-encode DM text; clamp --max-results per endpoint;
  OAuth2 expiry/skew handling; webhook help + isolated ServeMux; .gitignore
  fix. See CHANGELOG.md for the complete list.

[santiagomed]

This release also resolves several open issues:

• Fixes xurl media upload without flags returns a media ID but the upload actually fails #76 — xurl media upload <file> without flags now auto-detects the media type and category from the file extension (and errors clearly on unsupported types) instead of defaulting to video/mp4 and returning a media ID that silently fails downstream.
• Fixes Is media upload working? #29 — same root cause: images are no longer uploaded as video/mp4 and forced through video processing (which produced media processing failed).
• Fixes Allow changing redirect URI or --headless option #62 — adds xurl auth oauth2 --headless for authenticating on headless/remote hosts (complements the per-app redirect URI added in fix(auth): harden OAuth callback flow and add per-app redirect URI co… #64).
• Fixes Oauth2 timeout waiting for callback #40 — --headless lets you authenticate on a VPS/headless box without a reachable localhost callback, avoiding the callback timeout.

(The v1.2.0 release also publishes @xdevplatform/xurl to npm, which resolves #77.)

[santiagomed]

Folded in three more fixes (commit ba32144):

• Fixes install.sh silently installs to the wrong location when piped to sh (dash) #68 — install.sh now detects root with id -u instead of the bash-only $EUID, so curl … | sh under dash installs to /usr/local/bin as root instead of silently falling back to ~/.local/bin.
• Fixes Windows: install.js fails — calls Unix unzip command #56 — npm/install.js extracts the Windows .zip with PowerShell's Expand-Archive instead of the Unix unzip command, so npm install -g @xdevplatform/xurl works on Windows.
• Fixes whoami reports verified: false for Premium subscribers with blue checkmark #41 — whoami / user now request verified_type and subscription_type, so Premium/blue accounts report correctly instead of verified: false.