test(server): add behavioural unit tests for auth + common security helpers
Batch 1 of the test-strategy rollout. Fills the highest-value gaps where
existing specs were only `toBeDefined()` smoke tests or absent. Test-only,
no production source touched.
- token.service.behavior.spec.ts: verifyJwt type-mismatch rejection (confused
deputy), generateAccessToken/generateCollabToken disabled-user -> Forbidden,
agent `actor` claim only from signed provenance, correct expiry.
- auth.util.spec.ts: computeEmailSignature (stable HMAC, case-normalized),
throwIfEmailNotVerified, validateSsoEnforcement, validateAllowedEmail;
it.todo flags the unguarded `@`-less email TypeError.
- guards/setup.guard.spec.ts: cloud blocks setup, first-run allows, re-run on
an initialised instance is forbidden (privilege escalation guard).
- security-headers.spec.ts: resolveFrameHeader clickjacking/CSP branches.
- utils.security.spec.ts: redactSensitiveUrl, extractBearerTokenFromHeader,
parseRedisUrl, normalizePostgresUrl, diffAuditTrackedFields, isUserDisabled.
60 tests + 1 todo, all green. Reviewed for mutation resistance.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
f8e8ada581