Bumps coverage on harmony-fleet-auth from 5 to 18 unit tests. The
new tests lock the corners we burned cycles on while debugging
the live system:
* cache freshness boundary (within-leeway, outside-leeway,
no-cache, non-zitadel variant)
* assertion claim shape (iss/sub/aud/exp/iat) and the 60-second
lifetime constant Zitadel enforces server-side
* scope string content (plural-projects-roles + singular-project-id
URN + openid base)
* token URL strips trailing slashes (the //oauth/v2/token 404
waiting to bite the next operator)
* MachineKeyFile JSON parsing under Zitadel's wire shape
Refactor: build_assertion now delegates to build_assertion_claims
+ build_assertion_header (pure, no signing). Lets the claim/header
shape be unit-tested without an RSA private-key fixture; the
sign-and-decode end-to-end is still covered by the e2e harness.
No new deps. wiremock not needed — every meaningful assertion is
on pure logic.
Jean-Gabriel Gill-Couture
84a25dbb07