First off, I want to confirm one thing: the auth spec appears to imply that an app that only uses the client-side flow never needs to use the client_secret at all (as does the OAuth i-d). Is this correct?
Anyway, the client-side flow requires directing the user to a URL on App.net, having them log in, and getting back a token via an HTTP redirect. I'm guessing the imagined use case is an HTML5 app, an iOS app, etc., where there's a convenient web browser available, and where there's an obvious URL to receive the token callback on a redirect (the actual URL of the HTML5 app, a custom protocol scheme registered with iOS, etc.).
This is pretty awkward for a command-line client, since there may be no web browser, and even if there is a web browser, there may be no way to receive the redirect back in the app. I'm curious if you've considered this use case, and have a recommendation. (I specifically want to add support to Barnowl, which is a multi-protocol client that you can basically treat like your favorite command-line IRC client for the purposes of this discussion.)
One option would be to allow an explicit way for an API client to pass a username and password. I can see why this would be distasteful, but note that disallowing it is only mild obfuscation -- it's pretty possible for me to scrape your login page and write code to take a username and password, hit the login page, programatically authorize my app, and return back to it.
Another option would be to generate an app-specific password on the web interface (think Google's fallback for using protocols like IMAP or XMPP when you have 2-factor authentication). This would be simple enough for the user to do, and simple enough to support on the application end. For bonus elegance points, the app-specific password should just be an access token, although a password usable with e.g. SSL-protected Basic auth would be fine too.
I also note that the spec does not specify when an access token will expire, or whether they expire at all. For a long-running command-line client on a remote machine in a screen session, we'll preferably want the access token to be usable indefinitely, and if not we'll want an explicit expiration time so we can alert the user enough in advance to re-do the auth flow while they're connected (preferably a day or so in advance, so tokens should last at least several days if requested). Can this be clarified?
One advantage of the app-specific password approach is it makes it abundantly clear how long that password is valid, namely, as long as that app-specific password is still listed on the user's profile, and it also makes it obvious how to revoke access for a client.
A related use case that's worth considering is robot accounts (commit notifications, etc.), where some code legitimately has a password of its own, and ideally a human doesn't need to visit a website even if the bot needs to be restarted.