When a CIMD client (like Claude Code) connects to an OAuthProxy with both required_scopes and valid_scopes configured, it gets registered with only required_scopes. This happens because CIMD clients bypass the RegistrationHandler (which applies valid_scopes via ClientRegistrationOptions), and the _default_scope_str fallback was built from required_scopes alone. Any authorization request for a scope beyond the required set gets rejected with invalid_scope before it ever reaches the upstream IdP.

The fix is a one-line change: _default_scope_str now prefers valid_scopes, matching the logic already used when constructing ClientRegistrationOptions.

Closes #3828