UX: auto-promote or warn when only one app has credentials but isn't the default

[teknium1]

Problem

When a user runs xurl auth apps add my-app --client-id ... --client-secret ... followed by xurl auth oauth2 (without --app my-app), the OAuth token is saved to the built-in default app profile — which has no client-id or client-secret. All subsequent commands fail with auth errors even though the OAuth flow appeared to succeed.

This is the #1 setup pitfall we see across users integrating xurl with AI agents (Hermes Agent, OpenClaw, Claude Code). Multiple independent write-ups have documented it:

• https://zenn.dev/ricrio/articles/xurl-cli-setup-guide (Step 6 warning)
• https://dev.to/code_performance/fix-xurl-oauth-20-fails-with-unauthorizedclient-on-x-api-3n3g

Proposal

When xurl auth oauth2 is run without --app:

1. If exactly one non-default app has both client-id and client-secret configured, auto-select it (or prompt the user to confirm). The empty default profile should not win by default when a configured app exists.

2. If multiple apps exist but none is set as default, show a warning like:

   Warning: No default app set. Use "xurl auth default <app>" to set one.
   Available apps with credentials: my-app, prod-app
   

3. Alternatively, if the default app has no client-id/client-secret, refuse to proceed and suggest --app <name> with the list of configured apps.

Any of these would eliminate the most common xurl setup failure. The current behavior — silently saving a token to an empty profile — gives users a false success signal.

Workaround

Users must explicitly specify --app on every auth command:

xurl auth apps add my-app --client-id ... --client-secret ...
xurl auth oauth2 --app my-app
xurl auth default my-app

Environment

• xurl v1.0.3
• Reported by multiple users across Hermes Agent and OpenClaw integrations