f8e8ada581
Batch 1 of the test-strategy rollout. Fills the highest-value gaps where existing specs were only `toBeDefined()` smoke tests or absent. Test-only, no production source touched. - token.service.behavior.spec.ts: verifyJwt type-mismatch rejection (confused deputy), generateAccessToken/generateCollabToken disabled-user -> Forbidden, agent `actor` claim only from signed provenance, correct expiry. - auth.util.spec.ts: computeEmailSignature (stable HMAC, case-normalized), throwIfEmailNotVerified, validateSsoEnforcement, validateAllowedEmail; it.todo flags the unguarded `@`-less email TypeError. - guards/setup.guard.spec.ts: cloud blocks setup, first-run allows, re-run on an initialised instance is forbidden (privilege escalation guard). - security-headers.spec.ts: resolveFrameHeader clickjacking/CSP branches. - utils.security.spec.ts: redactSensitiveUrl, extractBearerTokenFromHeader, parseRedisUrl, normalizePostgresUrl, diffAuditTrackedFields, isUserDisabled. 60 tests + 1 todo, all green. Reviewed for mutation resistance. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>