feat(atproto/oauth): add OAuthCoordinator with sign-in + progressive scope escalation
Stitches metadata discovery, PAR, browser consent, token exchange, and
token storage into a single signIn(handle:) flow; ensureScope(_:for:) is
a no-op when granted scopes already satisfy the request, triggering a
fresh browser flow only on actual scope gaps.
Also fixes AuthorizationURL.build to percent-encode colons in query
values (request_uri urn: prefix), required by RFC 9126 §2.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>