[Client] Implement OAuth scope handling (WWW-Authenticate, scopes_supported, step-up, retry-limit, omitted)

[soyuka]

Context

Five baseline scenarios cover scope acquisition strategies the client must follow when constructing authorize/token requests:

• auth/scope-from-www-authenticate — parse scope="<list>" from WWW-Authenticate insufficient_scope challenges and request those scopes on next authorize.
• auth/scope-from-scopes-supported — when no challenge hint, fall back to scopes_supported from AS metadata.
• auth/scope-omitted-when-undefined — when neither source provides scopes, omit the scope parameter entirely (do not send empty string).
• auth/scope-step-up — on 403/401 with error=insufficient_scope, restart auth flow requesting the augmented scope set.
• auth/scope-retry-limit — bound step-up retries to one to prevent infinite loops.

Scope

• Mcp\Client\Auth\ScopeResolver consulted by AuthCoordinator before every authorize/token request.
• WwwAuthenticateParser returning scope, error, error_description, resource_metadata.
• Step-up retry counter held in AuthCoordinator state.

Conformance scenarios unblocked

All 5 scope scenarios above.

Dependencies

Blocked by: #316 (401 plumbing), #318 (AS metadata), #319 (Auth Code flow).

Acceptance

• Unit tests per resolution path.
• Conformance: 5 baseline scenarios pass.

cc @soyuka