feat(auth): implement response_type=id authentication flow

Implements both IndieAuth flows per W3C specification:
- Authentication flow (response_type=id): Code redeemed at authorization endpoint, returns only user identity
- Authorization flow (response_type=code): Code redeemed at token endpoint, returns access token

Changes:
- Authorization endpoint GET: Accept response_type=id (default) and code
- Authorization endpoint POST: Handle code verification for authentication flow
- Token endpoint: Validate response_type=code for authorization flow
- Store response_type in authorization code metadata
- Update metadata endpoint: response_types_supported=[code, id], code_challenge_methods_supported=[S256]

The default behavior now correctly defaults to response_type=id when omitted, per IndieAuth spec section 5.2.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

tests/unit/test_token_endpoint.py

@@ -71,11 +71,12 @@ def client(test_config, test_database, test_code_storage, test_token_service):
 
 @pytest.fixture
 def valid_auth_code(test_code_storage):
-    """Create a valid authorization code."""
+    """Create a valid authorization code (authorization flow)."""
     code = "test_auth_code_12345"
     metadata = {
         "client_id": "https://client.example.com",
         "redirect_uri": "https://client.example.com/callback",
+        "response_type": "code",  # Authorization flow - exchange at token endpoint
         "state": "xyz123",
         "me": "https://user.example.com",
         "scope": "",