Track processed candidates in session and use OAuth for API calls

- Record skips, saves, and no-match results in session["skipped"] so
  revisiting an article resumes past already-checked candidates
- Filter self-links (case-insensitive first letter) from hit list
- Use OAuth session for all API reads when logged in for higher rate limits
- Add "for" template to exclusion list to avoid bad edits
- Improve API error handling with HTTP status codes logged to stderr

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

add_links/mediawiki_oauth.py

@@ -99,6 +99,27 @@ def userinfo_call() -> typing.Mapping[str, typing.Any]:
     return api_request(params)
 
 
+def get_oauth_session() -> OAuth1Session | None:
+    """Return an OAuth1Session for the current user, or None if not logged in."""
+    if "owner_key" not in session or "owner_secret" not in session:
+        return None
+    app = current_app
+    client_key = app.config["CLIENT_KEY"]
+    client_secret = app.config["CLIENT_SECRET"]
+    oauth = OAuth1Session(
+        client_key,
+        client_secret=client_secret,
+        resource_owner_key=session["owner_key"],
+        resource_owner_secret=session["owner_secret"],
+    )
+    oauth.headers.update({"User-Agent": ua})
+    oauth.params = typing.cast(
+        dict[str, str | int],
+        {"format": "json", "action": "query", "formatversion": 2},
+    )
+    return oauth
+
+
 def get_username() -> None | str:
     """Get the username or None if not logged in."""
     if "owner_key" not in session: