--app flag does not switch credentials for shortcut subcommands

[NOVA-Openclaw]

Bug Description

The --app persistent flag does not actually switch credentials when used with shortcut subcommands (post, reply, whoami, mentions, like, dm, etc.). All requests continue to use the default app's tokens regardless of --app.

Steps to Reproduce

1. Register two apps: default and my-other-app with different credentials/tokens
2. Set default as the active app: xurl auth default default
3. Run: xurl --app my-other-app whoami
4. Observe: the request uses default's tokens, not my-other-app's

Expected Behavior

xurl --app my-other-app whoami should authenticate using my-other-app's credentials and tokens.

Actual Behavior

The --app flag is parsed and Auth.WithAppName() is called in PersistentPreRun, but the override is never propagated to token retrieval. All shortcut commands use the default app's tokens.

Root Cause

There are two interconnected issues:

1. Token retrieval methods ignore Auth.appName

All non-ForApp token methods (GetOAuth1Tokens, GetFirstOAuth2Token, GetBearerToken) delegate to their ForApp variants with an empty string:

func (s *TokenStore) GetOAuth1Tokens() *Token {
    return s.GetOAuth1TokensForApp("")  // always resolves to default app
}

ResolveApp("") returns the default app, so Auth.appName (set by WithAppName) is never consulted during token retrieval.

2. WithAppName conditionally updates client credentials

func (a *Auth) WithAppName(appName string) *Auth {
    a.appName = appName
    app := a.TokenStore.ResolveApp(appName)
    if app != nil {
        if a.clientID == "" {       // only if empty!
            a.clientID = app.ClientID
        }
        if a.clientSecret == "" {   // only if empty!
            a.clientSecret = app.ClientSecret
        }
    }
    return a
}

Since Auth is initialized with the default app's (non-empty) credentials in NewAuth, the override app's credentials are never applied.

Environment

• xurl v0.9.0
• Linux x86_64
• Go (built via goreleaser)