Begin cleaning up OAuth scope handling

Summary:
Ref T7303. OAuth scope handling never got fully modernized and is a bit of a mess.

Also introduce implicit "ALWAYS" and "NEVER" scopes.

Always give tokens access to meta-methods like conduit.getcapabilities and conduit.query. These do not expose user information.

Test Plan:

• Used a token to call user.whoami.
• Used a token to call conduit.query.
• Used a token to try to call user.query, got rebuffed.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T7303

Differential Revision: https://secure.phabricator.com/D15593