Begin cleaning up OAuth scope handling
Ref T7303. OAuth scope handling never got fully modernized and is a bit of a mess.
Also introduce implicit "ALWAYS" and "NEVER" scopes.
Always give tokens access to meta-methods like conduit.getcapabilities and conduit.query. These do not expose user information.
- Used a token to call user.whoami.
- Used a token to call conduit.query.
- Used a token to try to call user.query, got rebuffed.
Reviewed By: chad
Maniphest Tasks: T7303
Differential Revision: https://secure.phabricator.com/D15593