feat: Incremental consent support in OAuth2Client

[ralflang]

Incremental consent support in OAuth2Client

A single OAuth client registration per provider should serve both login and
service-API needs. When a user initially connects (e.g. for login), only
baseline scopes are requested (read:user user:email). Later, when an app
like whups needs repo access, the authorization flow must be re-triggered
with the merged scope set so the provider shows consent for only the new
scopes.

OAuth2Client::getAuthorizationUrl() currently accepts a $scopes array but the caller is responsible for knowing which scopes to request. There is no concept of "current granted scopes" vs "additionally needed scopes" in the
library.

Needed Capabilities:

• A helper (or method on OAuth2Client) that accepts the currently granted
  scope string (from TokenSet::$scope) and the additionally needed scopes,
  merges them (union, no duplicates), and produces the authorization URL.
• On callback, the new TokenSet returned by exchangeCode() already
  carries the full granted scope in TokenSet::$scope — no change needed
  there.
• Document that providers may or may not support true incremental consent
  Examples:
  • Google does natively.
  • GitHub replaces the full scope set.
  • Mastodonreissues.

The merge-and-redirect approach should work for all of the currently assessed cases.