resolveKnownAuthServer

Short-circuits the discovery chain for flows where the auth server is already known (e.g. signup, where the user has no handle/DID yet). Fetches only the auth-server metadata; AuthServerMetadata.did, AuthServerMetadata.handle, and AuthServerMetadata.pdsUrl are left null — populate them post-token-exchange via hydrateIdentityFromDid.

Accepts either a bare hostname ("bsky.social") or an https:// URL ("https://bsky.social"); both are normalized. Plain http:// URLs are rejected because OAuth 2.0 requires the authorization server be reached over TLS.