feat(oidc): POST /api/v1/auth/oidc/test dry-run endpoint (MED-5)

Audit 2026-05-10 MED-5 closure (backend half).

WHAT.

New POST /api/v1/auth/oidc/test endpoint that validates an OIDC
provider configuration without persisting anything. Mirrors the
read-only legs of the production getOrLoad path so operators can
catch typos / network reachability problems / IdP-advertises-weak-
alg conditions BEFORE creating the provider row.

Request body: {issuer_url, client_id, client_secret, scopes} —
client_secret is accepted but unused (discovery + JWKS reachability
do not require it).

Response body: TestDiscoveryResult{
  discovery_succeeded     — gooidc.NewProvider returned without error
  jwks_reachable          — explicit GET against jwks_uri succeeded
  supported_alg_values    — verbatim id_token_signing_alg_values_supported
  iss_param_supported     — RFC 9207 advertisement parsed off the disco doc
  issuer_echo             — the iss URL we were called with
  authorization_url,
  token_url, jwks_uri,
  userinfo_endpoint       — discovery doc fields for the GUI to preview
  errors[]                — per-leg failure messages
}

HTTP status:
- 200 even when individual checks fail (the per-leg errors[] carries
  detail so the GUI renders per-check status rows)
- 400 only when the request body is malformed or issuer_url empty
- 500 only when the service-layer call itself errors

WHY.

Pre-fix, operators configuring OIDC had to create a provider, then
hit /refresh, then read the audit log to figure out whether the
discovery doc was reachable / whether the IdP advertises HS256
(the alg-downgrade trap). The GUI rendered no per-check feedback.
MED-5 closes the dry-run gap for the same reason every Issuer +
Target connector has a 'Test connection' button — operator
experience parity.

HOW.

internal/auth/oidc/test_discovery.go (NEW):
  - TestDiscoveryResult struct with the per-leg projection.
  - Service.TestDiscovery(ctx, issuerURL) drives the read-only
    subset of getOrLoad: gooidc.NewProvider, claims parse for
    alg-supported + iss-param-supported + jwks_uri + userinfo,
    alg-downgrade defense, jwksReachable HTTP GET.
  - jwksReachable is a package-level closure so tests can swap.

internal/api/handler/auth_session_oidc.go:
  - TestProvider HTTP handler. Uses an inline discoveryTester
    interface to type-assert against the OIDCAuthHandshaker stub
    (the production Service satisfies; test stubs supply via
    explicit method). Audit row 'auth.oidc_provider_tested' carries
    the summary fields.

internal/api/router/router.go:
  - Wired as POST /api/v1/auth/oidc/test under rbacGate('auth.oidc.create').

internal/api/handler/auth_session_oidc_test.go:
  - stubOIDCSvc gains testResult + testErr fields + TestDiscovery
    method so it satisfies the inline interface.
  - 3 regression tests: happy path, missing issuer_url -> 400,
    discovery-failure -> 200 with errors[] populated.

VERIFY.

- go vet ./internal/auth/oidc/... ./internal/api/handler/...
  ./internal/api/router/...                                   PASS
- go test -short -count=1 -run TestProvider
  ./internal/api/handler/...                                  PASS (3/3)
- go test -short -count=1 ./internal/auth/oidc/...            PASS (3.7s)
- go test -short -count=1 ./internal/api/handler/...          PASS (4.7s)

Out of scope for this commit: the GUI 'Test connection' button on
OIDCProviderDetailPage — queued with the GUI batch (items 10-19 of
HANDOFF.md).

Refs: cowork/auth-bundles-audit-2026-05-10.md MED-5
      cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 2

internal/api/handler/auth_session_oidc.go

@@ -950,6 +950,71 @@ func (h *AuthSessionOIDCHandler) DeleteProvider(w http.ResponseWriter, r *http.R
 	w.WriteHeader(http.StatusNoContent)
 }
 
+// TestProvider handles POST /api/v1/auth/oidc/test.
+//
+// Audit 2026-05-10 MED-5 closure. Dry-run validator for an OIDC
+// provider config: runs OIDC discovery, the alg-downgrade defense,
+// the RFC 9207 iss-parameter detection, and a JWKS fetch — without
+// persisting anything. Body: `{issuer_url, client_id, scopes}`
+// (client_secret accepted but ignored — discovery + JWKS don't
+// require it). Response: TestDiscoveryResult; HTTP 200 even when
+// individual checks fail (the response Errors field carries them so
+// the GUI can render per-check status rows).
+//
+// Permission gate: `auth.oidc.create` (the operator is dry-running a
+// provider they're about to create; the lookup endpoints have their
+// own .list gate so this can't be used as a roundabout reconnaissance
+// vector beyond what those already permit).
+func (h *AuthSessionOIDCHandler) TestProvider(w http.ResponseWriter, r *http.Request) {
+	caller, err := callerFromRequest(r)
+	if err != nil {
+		writeAuthError(w, err)
+		return
+	}
+	var req struct {
+		IssuerURL    string   `json:"issuer_url"`
+		ClientID     string   `json:"client_id"`
+		ClientSecret string   `json:"client_secret"`
+		Scopes       []string `json:"scopes"`
+	}
+	if derr := json.NewDecoder(r.Body).Decode(&req); derr != nil {
+		Error(w, http.StatusBadRequest, "invalid JSON body")
+		return
+	}
+	if strings.TrimSpace(req.IssuerURL) == "" {
+		Error(w, http.StatusBadRequest, "issuer_url is required")
+		return
+	}
+	// Type-assert to the concrete service so we can reach the
+	// TestDiscovery method. The OIDCAuthHandshaker interface is
+	// intentionally narrow; rather than widening it (which would force
+	// every test stub to implement TestDiscovery) we accept the
+	// concrete reference for this single endpoint. Production code
+	// always supplies *oidcsvc.Service.
+	type discoveryTester interface {
+		TestDiscovery(ctx context.Context, issuerURL string) (*oidcsvc.TestDiscoveryResult, error)
+	}
+	tester, ok := h.oidcSvc.(discoveryTester)
+	if !ok {
+		Error(w, http.StatusInternalServerError, "OIDC service does not support discovery test")
+		return
+	}
+	res, terr := tester.TestDiscovery(r.Context(), strings.TrimSpace(req.IssuerURL))
+	if terr != nil {
+		Error(w, http.StatusInternalServerError, "discovery test execution failed")
+		return
+	}
+	h.recordAudit(r.Context(), "auth.oidc_provider_tested", caller.ActorID, caller.ActorType, "",
+		map[string]interface{}{
+			"issuer_url":           req.IssuerURL,
+			"discovery_succeeded":  res.DiscoverySucceeded,
+			"jwks_reachable":       res.JWKSReachable,
+			"iss_param_supported":  res.IssParamSupported,
+			"error_count":          len(res.Errors),
+		})
+	writeJSON(w, http.StatusOK, res)
+}
+
 // RefreshProvider handles POST /api/v1/auth/oidc/providers/{id}/refresh.
 // Forces re-fetch of the IdP discovery doc + JWKS, re-runs the IdP
 // downgrade-attack defense.