fix(issuer): align implicit flow with RFC 6749

[swalker326]

Summary

• port the upstream implicit-flow compliance fix from fix(issuer): ensure implicit flow complies with RFC 6749 Section 4.2.2 anomalyco/openauth#304 into our fork
• stop issuing refresh_token values for response_type=token and include token_type=Bearer plus expires_in in the fragment response
• add issuer coverage that validates the implicit-flow response shape and confirms the change works with our current token generation path
• include our local upstream priority tracker for follow-up cherry-picks

Validation

• bun test packages/openauth/test/issuer.test.ts
• bun run --filter "@kagii/openauth" typecheck
• bun run --filter "@kagii/openauth" check

Platform fit

• this change is isolated to the implicit flow branch in issuer() and reuses the existing generateRefreshToken: false option already supported by our fork
• code flow, refresh-token flow, and client-credentials behavior stay unchanged

Credit

• original upstream fix by @niklaswallerstedt in fix(issuer): ensure implicit flow complies with RFC 6749 Section 4.2.2 anomalyco/openauth#304

[shpaw415]

This PR introduce a fix the of the malformed flow, displayed in the RFC 6749.
I reviewd:

1. RFC 6749 Compliance
   The implementation perfectly aligns with Section 4.2.2 of the spec. Specifically, removing the refresh_token from the response_type=token flow is a key security correction. Including token_type=Bearer and expires_in in the URI fragment ensures we are now fully compliant with standard expectations for implicit grants.

2. Test Coverage & Validation
   I've reviewed the changes in packages/openauth/test/issuer.test.ts. The new test cases effectively validate the shape of the fragment response and is specific of the assigned token flow.

Approved!