test oauth client: conformance suite for atproto OAuth clients #3

Summary#

Adds atproto-devtool test oauth client <target> [interactive] — a conformance suite for atproto OAuth clients with static stages (discovery, metadata, JWKS) and an optional interactive stage that runs an in-process fake authorization server and drives a full OAuth 2.0 + DPoP + PKCE + PAR flow against the client.
Promotes report.rs out of the labeler tree to src/common/report.rs and converts Stage to a pub struct Stage(pub &'static str) newtype so labeler and oauth_client can share rendering without a coupling enum.
Introduces src/common/oauth/ (clock, jws, relying_party) including a deterministic RelyingParty seeded via ChaCha20Rng so DPoP proofs and PKCE verifiers are reproducible in tests.
Merges main (labeler report stage + normalize_timing fix + supporting refactors) — see commit 2d865a4 for merge-resolution notes.

Manually run cargo run -- test oauth client https://example.com against a local atproto OAuth client and confirm static stages exit 0 and render the expected report.
Manually run cargo run -- test oauth client <target> interactive and drive a flow from the browser; confirm the interactive report surfaces the 12 per-flow AC check IDs.
Confirm that cargo run -- test labeler still works correctly after the main merge.