docs(readme): document OAuth install path for hosted MCP

[simaonogueira101]

Summary

After noticedso/noticed#107 (the OAuth 2.1 authorization server) deploys, mcp.noticed.so/api/mcp will accept OAuth alongside the existing nk_live_ API-key Bearer path. This PR documents the OAuth install option in the README, which unblocks claude.ai's web custom-connector flow (whose UI has no field for a custom Authorization header).

Important: do not merge until noticedso/noticed#107 is merged AND deployed to production. If this README ships first, users following the OAuth instructions will hit a 401 because the OAuth endpoints don't exist yet.

What changed

• README: replaced the single "Hosted MCP server" section with two clearly-labelled paths:
  • OAuth — for claude.ai, ChatGPT MCP, and anything that does OAuth discovery + DCR. claude.ai users just paste the URL into the connector dialog; the consent flow handles the rest. Connected applications are visible/revocable at /dashboard/oauth-grants.
  • API key Bearer — unchanged. Still the right choice for Claude Code, Cursor, Claude Desktop's stdio path, anything that supports a custom header.
• Stdio install snippets: untouched. The cli itself (the stdio MCP) doesn't OAuth — it runs on the user's machine with their own NOTICED_API_KEY, no OAuth flow needed.
• Version: bumped 0.3.1 → 0.3.2. The release workflow (PR #2) auto-publishes on package.json version change merging to main.

No code changes

The cli code (src/api-client.ts, src/mcp-server.ts, etc.) is untouched. The stdio CLI is a pure API-key client of noticed.so's REST endpoints — it never talks to mcp.noticed.so and never participates in an OAuth flow. The cli will continue working exactly as today.

Test plan

• npm run lint clean
• npm run check-types clean
• npm test 32/32 passing
• Merge order: wait for noticedso/noticed#107 → smoke mcp.noticed.so/api/mcp OAuth flow against the production deploy → merge this PR → auto-publish workflow ships @noticed/cli@0.3.2

🤖 Generated with Claude Code