fix(auth): use configured scope in loopback OAuth

Loopback clients previously hardcoded 'atproto transition:generic' as the
scope in both the client_id URL and metadata body, ignoring the user's
configured scope. Now buildClientId() and buildClientMetadata() both use
config.oauth.scope, keeping the client_id URL, metadata, and authorize()
call consistent.

- Use scope param in buildClientId() instead of hardcoded value
- Remove loopback ternary override in buildClientMetadata()
- Update tests to verify configured scope is embedded
- Fix misleading README comment about scope being auto-set
- Update changeset to reflect scope comes from config

Author: Kzoeps