[Client] Implement OAuth 2.0 Authorization Code flow with PKCE (RFC 6749 + RFC 7636)

[soyuka]

Context

Primary user-facing flow. Required for any interactive MCP client to obtain tokens after PRM/AS discovery.

Scope

• Mcp\Client\Auth\Grant\AuthorizationCodeGrant:
  • Generate PKCE code_verifier + code_challenge (S256).
  • Build authorize URL with client_id, redirect_uri, response_type=code, code_challenge, code_challenge_method, scope, state, resource (audience-binding RFC 8707).
  • Pluggable user-agent dispatcher: callback hook so library users can open a browser / present URL in CLI.
  • Local loopback redirect listener (default) or custom redirect handler.
  • Exchange code → tokens at token_endpoint; persist via TokenStorageInterface.
• Verify state round-trip; reject mismatched.

Conformance scenarios unblocked

auth/basic-cimd and prerequisite for all scope/refresh/cross-app scenarios.

Dependencies

Blocked by: #315, #316, #317, #318. Pairs with #319 (token endpoint auth methods).

Acceptance

• Unit tests for PKCE generation + state validation.
• Conformance: auth/basic-cimd passes.

cc @soyuka