fix: AuthenticatedHttpMessageHandler tolerates missing AzureAd:Scopes

In the WebApp, this handler is registered but unused (the WebApp has its
own OIDC-based AuthenticatedApiDelegatingHandler). Previously it threw
on construction if AzureAd:Scopes was missing. Now it defaults to empty
scopes and short-circuits SendAsync — a no-op passthrough.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: davidortinau

src/SentenceStudio.AppLib/Services/AuthenticatedHttpMessageHandler.cs

@@ -28,13 +28,15 @@ public AuthenticatedHttpMessageHandler(
         _logger = logger;
 
         _defaultScopes = configuration.GetSection("AzureAd:Scopes").Get<string[]>()
-            ?? throw new InvalidOperationException(
-                "AzureAd:Scopes must be configured.");
+            ?? Array.Empty<string>();
     }
 
     protected override async Task<HttpResponseMessage> SendAsync(
         HttpRequestMessage request, CancellationToken cancellationToken)
     {
+        if (_defaultScopes.Length == 0)
+            return await base.SendAsync(request, cancellationToken);
+
         try
         {
             var token = await _authService.GetAccessTokenAsync(_defaultScopes);