feat: support for impersonation token exchange

[seriousben]

No description provided.

[Larry-Osakwe]

looks good. one thing - build_user_identifier_token validates empty string with a ValueError but there's no test covering that path. worth adding.

also just a heads up on versioning - this repo uses commitizen with conventional commits. when this merges the commit message should follow feat(keycardai-oauth): add user_identifier parameter to token exchange so the minor version bump and changelog get generated automatically. check DEVELOPER.md for the full format.

[Larry-Osakwe]

looks good. impersonate() follows the same pattern as exchange_token() on both clients, JWT builder is in the right place, and the MCP grant decorator change is clean.

Few things worth noting but not blocking:

PR is bigger than the title suggests. Beyond impersonation, this also adds exchange_authorization_code(), build_authorize_url(), a full _authorize.py module, and implements the PKCE methods that were previously stubs. Might be worth calling that out in the description so it's clear what's shipping here.

landing_page.py reaches into private APIs (_ensure_initialized(), _get_current_endpoints()). Would be nice if exchange_authorization_code handled discovery internally like impersonate and exchange_token do, so the example doesn't need to touch underscored methods. Not a blocker for this PR though.

The code scanning alert on _send_redirect is a false positive. The CR/LF stripping is already there.

Example is set up well. pyproject.toml with editable path dep, uv.lock, .env.example, CLI flags. Someone with a zone configured can pull this down and run it.