fix: pass oauth scopes through without filtering in client metadata
The filter_atproto_scopes function was incorrectly dropping valid scopes
that weren't in a hardcoded list of two. Scopes are validated at config
save time, so filtering here was both redundant and broken.