chore: repo cleanup + hosted MCP sign-in documentation

[jesseoue]

Summary

Two-commit cleanup pass that (1) removes rot and fixes latent CI bugs, and (2) documents the hosted MCP sign-in flow so every surface (humans, AI tools, security reviewers) reads from the same public source of truth.

• chore: delete empty STATUS.md, delete the duplicate PR template under .github/PULL_REQUEST_TEMPLATE/, fix the OpenAPI 3.1 examples grep that was matching examples: as a prefix of itself, bump CI Node 18 → 22, dedupe .gitignore, trim stale credit tables from CHANGELOG.md, and track package-lock.json.
• docs: add a comprehensive Hosted MCP sign-in section to README.md, extend the SECURITY.md allow-list with the OAuth metadata / DCR / static-client entries, and mirror the same facts into llms.txt / llms-full.txt.

All content was pulled from the public discovery endpoints:

• https://mcp.leadmagic.io/mcp
• https://mcp.leadmagic.io/clients
• https://mcp.leadmagic.io/.well-known/oauth-authorization-server
• https://mcp.leadmagic.io/.well-known/oauth-protected-resource/mcp

What changed

CI and repo hygiene (3275284)

File	Change
.github/workflows/validate-openapi.yml	Fix the example: grep (was matching examples: by prefix — workflow would have failed on any valid 3.1 spec). Bump Node to 22 across all three jobs.
.github/pull_request_template.md	Normalize trailing whitespace.
.github/PULL_REQUEST_TEMPLATE/pull_request_template.md	Deleted — GitHub only loads the top-level template; the nested duplicate was dead weight.
.gitignore	Dedupe (.env, .npm, node_modules/, .node_repl_history were each listed twice). Drop third-party sections that never applied here (Gatsby, Storybook, Nuxt, etc.).
CHANGELOG.md	Remove the stale legacy credit-cost table (superseded by README /v1/... routes) and the snake_case throughout bullet already retracted in [Unreleased].
STATUS.md	Deleted — was a single-line stub with no content.
package-lock.json	Added so CI installs are reproducible.

Hosted MCP sign-in docs (6261fb1)

File	Change
README.md	New Hosted MCP sign-in section: auth-mode table (OAuth + DCR / static public client / API key / Bearer), OAuth metadata URLs and scopes, Cursor install guidance (plugin-first, manual URL-only mcp.json, API-key-via-env), client coverage table (Claude, ChatGPT, VS Code/Copilot, Windsurf, Zed, Cline, Roo Code, OpenCode, Continue, Amp, Augment, JetBrains, Gemini CLI, Amazon Q, Copilot Coding Agent), and a Vercel AI SDK snippet.
SECURITY.md	Allow-list extended with OAuth metadata URLs, DCR registration endpoint, and the static public OAuth client ID (4b9eLjoGVCJ1Dvnc). Explicitly flagged as public by design (PKCE, no secret) so it is not mistaken for a credential or a leak.
llms.txt / llms-full.txt	New Hosted MCP Sign-In section mirroring the README for LLM/agent consumption. Reconciled MCP tool count (10, per the README enumeration).

Secret scan

Scanned the whole tree for Stripe / Slack / GitHub / AWS / Google / private-key patterns and literal LEADMAGIC_API_KEY=... assignments — zero matches. The only key-looking string is pk_38xEiBSnX3Ci24Jl0gn3Q in context7.json, under the explicit public_key field (that is Context7's public library identifier, expected to be committed).

Test plan

• npm run typecheck — clean
• npm run lint:openapi (Spectral) — No results with a severity of "error" found!
• leadmagic-openapi-3.1.json parses as valid JSON; YAML reads cleanly
• Workflow example: grep now correctly distinguishes example: from examples: on the current spec
• All five required README sections that the CI documentation-check job looks for are still present (Authentication, Base URL, Credit Consumption, Testing & Validation, Use Case Examples)
• GitHub Actions green on this PR (validate-spec, lint-spec, check-examples, documentation-check)

Out of scope

• Regenerating leadmagic-openapi-3.1.{yaml,json} against the latest live docs — tracked as a separate maintenance task in PROJECT_OVERVIEW.md.
• Any changes to test-api.ts beyond what CI requires.