atproto-oauth: add Session type
New Session module in the atproto-oauth core library. Holds the
durable identity (DID), the current PDS and AS metadata, a DPoP
keypair, the access/refresh tokens, and scope.
- DID is the anchor; handle is cached for display and may go stale
after a handle rotation.
- Dpop.key is held opaque. Disk persistence waits on ocaml-dpop
growing a private-key serialization API.
- is_expired takes a clock and a leeway (default 60s) so callers
don't race the server.
- pp surfaces durable identifiers (did, handle, pds, issuer) and
never tokens or key material; tested explicitly.
4 new tests (accessors, no-handle-or-tokens defaults, is-expired
with leeway boundaries, pp-hides-secrets).
Refresh/rotation logic needs DPoP-aware token endpoint calls that
aren't yet in ocaml-oauth; lands with the login flow (PAR + loopback
+ token exchange) in a follow-up.