[tracking] Identity fetch coverage for remaining providers

[peteski22]

Roll out fetch_identity() to the remaining built-in providers, following the pattern established in #45 / #46 (Google + GitHub).

Shape rules

• IdentityProfile is best-effort: every field except possibly subject may be None. Always populate raw with the upstream payload.
• Two identity flavors, both shipped through the same IdentityProfile:
  • User identity — person claims (sub, email, name, picture). Microsoft, Atlassian, Typeform, Salesforce, Linear, Notion-external, Slack-SiwS.
  • Account/integration identity — workspace/portal/bot context with optional or absent person email. Notion-internal, HubSpot.
• No assumption that access tokens are JWTs — Microsoft Graph tokens may be opaque.

Sub-issues

• feat(microsoft): add fetch_identity via Graph oidc/userinfo #47: Microsoft fetch_identity via graph oidc/userinfo
• feat(atlassian): add fetch_identity via api.atlassian.com/me #48: Atlassian fetch_identity via api.atlassian.com/me
• feat(typeform): add fetch_identity via /me #49: Typeform fetch_identity via /me
• feat(salesforce): add fetch_identity via instance userinfo endpoint #50: Salesforce fetch_identity via instance userinfo endpoint
• feat(linear): add fetch_identity via GraphQL viewer query #51: Linear fetch_identity via GraphQL viewer
• feat(notion): add fetch_identity returning bot/workspace identity #52: Notion fetch_identity returning bot/workspace identity
• feat(hubspot): add fetch_identity via OAuth token introspection #53: HubSpot fetch_identity via OAuth token introspection
• feat(slack): add fetch_identity for Sign-in-with-Slack OIDC flow #54: Slack fetch_identity for Sign-in-with-Slack only

Out of scope

• Slack workspace-bot identity (users.identity / auth.test) — reconsider only if a use case lands.
• A standalone "provider identity matrix" doc — defer until in-repo drift makes it necessary.