feat(oauth): add client_credentials grant for machine clients and fix PlaceAvatar stale image retry

- Add OAuth 2.0 client_credentials flow so AI agents and scripts can obtain tokens directly via client_id + client_secret without any browser interaction
- New DB column allows_client_credentials on oauth_clients; machine clients skip redirect URI requirement and are forced confidential
- New issueClientCredentialsToken() issues access-only tokens (no refresh token, RFC 6749 §4.4)
- UI: "Machine client" checkbox in create-client modal, hides redirect URI field, shows indigo badge on existing machine clients
- Advertise client_credentials in OAuth discovery document
- 8 new integration tests (OAUTH-CC-001–008)
- i18n: 4 new keys across all 15 languages
- Fix PlaceAvatar: re-fetch photo via API on image_url load failure before falling back to initials
- Update MCP wiki docs with new Option B machine client setup guide

wiki/MCP-Overview.md

@@ -18,6 +18,16 @@ Once connected, an AI assistant can work with your TREK data in a single convers
 
 Changes made through MCP are broadcast to all connected clients in real-time — exactly like changes made in the web UI.
 
+## Authentication options
+
+| Use case | Method |
+|---|---|
+| Interactive client (Claude.ai, Cursor, VS Code…) | OAuth 2.1 with browser consent — TREK issues tokens after you approve scopes in a consent screen |
+| AI agent or script running unattended | Machine client (client_credentials) — token obtained directly via `client_id` + `client_secret`, no browser ever opened |
+| Legacy setups | Static API token — deprecated, full access, no scopes |
+
+See [MCP-Setup](MCP-Setup) for step-by-step instructions for each method.
+
 ## Requirements
 
 - **MCP addon enabled** — an administrator must enable the MCP addon (`mcp`) from the Admin Panel before the `/mcp` endpoint becomes available and the MCP section appears in user settings.