feat(oidc): POST /api/v1/auth/oidc/test dry-run endpoint (MED-5)

Audit 2026-05-10 MED-5 closure (backend half).

WHAT.

New POST /api/v1/auth/oidc/test endpoint that validates an OIDC
provider configuration without persisting anything. Mirrors the
read-only legs of the production getOrLoad path so operators can
catch typos / network reachability problems / IdP-advertises-weak-
alg conditions BEFORE creating the provider row.

Request body: {issuer_url, client_id, client_secret, scopes} —
client_secret is accepted but unused (discovery + JWKS reachability
do not require it).

Response body: TestDiscoveryResult{
  discovery_succeeded     — gooidc.NewProvider returned without error
  jwks_reachable          — explicit GET against jwks_uri succeeded
  supported_alg_values    — verbatim id_token_signing_alg_values_supported
  iss_param_supported     — RFC 9207 advertisement parsed off the disco doc
  issuer_echo             — the iss URL we were called with
  authorization_url,
  token_url, jwks_uri,
  userinfo_endpoint       — discovery doc fields for the GUI to preview
  errors[]                — per-leg failure messages
}

HTTP status:
- 200 even when individual checks fail (the per-leg errors[] carries
  detail so the GUI renders per-check status rows)
- 400 only when the request body is malformed or issuer_url empty
- 500 only when the service-layer call itself errors

WHY.

Pre-fix, operators configuring OIDC had to create a provider, then
hit /refresh, then read the audit log to figure out whether the
discovery doc was reachable / whether the IdP advertises HS256
(the alg-downgrade trap). The GUI rendered no per-check feedback.
MED-5 closes the dry-run gap for the same reason every Issuer +
Target connector has a 'Test connection' button — operator
experience parity.

HOW.

internal/auth/oidc/test_discovery.go (NEW):
  - TestDiscoveryResult struct with the per-leg projection.
  - Service.TestDiscovery(ctx, issuerURL) drives the read-only
    subset of getOrLoad: gooidc.NewProvider, claims parse for
    alg-supported + iss-param-supported + jwks_uri + userinfo,
    alg-downgrade defense, jwksReachable HTTP GET.
  - jwksReachable is a package-level closure so tests can swap.

internal/api/handler/auth_session_oidc.go:
  - TestProvider HTTP handler. Uses an inline discoveryTester
    interface to type-assert against the OIDCAuthHandshaker stub
    (the production Service satisfies; test stubs supply via
    explicit method). Audit row 'auth.oidc_provider_tested' carries
    the summary fields.

internal/api/router/router.go:
  - Wired as POST /api/v1/auth/oidc/test under rbacGate('auth.oidc.create').

internal/api/handler/auth_session_oidc_test.go:
  - stubOIDCSvc gains testResult + testErr fields + TestDiscovery
    method so it satisfies the inline interface.
  - 3 regression tests: happy path, missing issuer_url -> 400,
    discovery-failure -> 200 with errors[] populated.

VERIFY.

- go vet ./internal/auth/oidc/... ./internal/api/handler/...
  ./internal/api/router/...                                   PASS
- go test -short -count=1 -run TestProvider
  ./internal/api/handler/...                                  PASS (3/3)
- go test -short -count=1 ./internal/auth/oidc/...            PASS (3.7s)
- go test -short -count=1 ./internal/api/handler/...          PASS (4.7s)

Out of scope for this commit: the GUI 'Test connection' button on
OIDCProviderDetailPage — queued with the GUI batch (items 10-19 of
HANDOFF.md).

Refs: cowork/auth-bundles-audit-2026-05-10.md MED-5
      cowork/auth-bundles-fixes-2026-05-10/HANDOFF.md item 2

internal/api/handler/auth_session_oidc_test.go

@@ -41,6 +41,11 @@ type stubOIDCSvc struct {
 	callbackRes *oidcsvc.CallbackResult
 	callbackErr error
 	refreshErr  error
+	// Audit 2026-05-10 MED-5 — stub for the TestDiscovery dry-run.
+	// When testResult is non-nil, the handler-level type assertion
+	// resolves and the response carries this verbatim.
+	testResult *oidcsvc.TestDiscoveryResult
+	testErr    error
 }
 
 func (s *stubOIDCSvc) HandleAuthRequest(_ context.Context, _, _, _ string) (string, string, string, error) {
@@ -51,6 +56,12 @@ func (s *stubOIDCSvc) HandleCallback(_ context.Context, _, _, _, _, _, _ string)
 }
 func (s *stubOIDCSvc) RefreshKeys(_ context.Context, _ string) error { return s.refreshErr }
 
+// TestDiscovery satisfies the inline discoveryTester interface used by
+// the TestProvider HTTP handler. Audit 2026-05-10 MED-5.
+func (s *stubOIDCSvc) TestDiscovery(_ context.Context, _ string) (*oidcsvc.TestDiscoveryResult, error) {
+	return s.testResult, s.testErr
+}
+
 type stubSession struct {
 	createRes      *sessionsvc.CreateResult
 	createErr      error
@@ -1215,3 +1226,81 @@ func TestClassifyOIDCFailure(t *testing.T) {
 		}
 	}
 }
+
+// =============================================================================
+// MED-5 regression tests — TestProvider dry-run endpoint.
+// =============================================================================
+
+func TestTestProvider_HappyPath(t *testing.T) {
+	o := &stubOIDCSvc{
+		testResult: &oidcsvc.TestDiscoveryResult{
+			DiscoverySucceeded: true,
+			JWKSReachable:      true,
+			SupportedAlgValues: []string{"RS256", "ES256"},
+			IssParamSupported:  true,
+			IssuerEcho:         "https://idp.example.com",
+		},
+	}
+	h, _, _, _, audit, _ := newPhase5Handler(t, o, &stubSession{}, &stubBCLVerifier{})
+
+	body := strings.NewReader(`{"issuer_url":"https://idp.example.com","client_id":"app","scopes":["openid"]}`)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/oidc/test", body)
+	req = withActor(req, "u-admin", "User")
+	w := httptest.NewRecorder()
+	h.TestProvider(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("status = %d; want 200; body=%s", w.Code, w.Body.String())
+	}
+	if !strings.Contains(w.Body.String(), `"discovery_succeeded":true`) {
+		t.Errorf("body missing discovery_succeeded:true; got %s", w.Body.String())
+	}
+	if !strings.Contains(w.Body.String(), `"iss_param_supported":true`) {
+		t.Errorf("body missing iss_param_supported:true")
+	}
+	if !contains(audit.events, "auth.oidc_provider_tested") {
+		t.Errorf("expected auth.oidc_provider_tested audit event; got %v", audit.events)
+	}
+}
+
+func TestTestProvider_MissingIssuerURL_Returns400(t *testing.T) {
+	h, _, _, _, _, _ := newPhase5Handler(t, &stubOIDCSvc{}, &stubSession{}, &stubBCLVerifier{})
+
+	body := strings.NewReader(`{"client_id":"app"}`)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/oidc/test", body)
+	req = withActor(req, "u-admin", "User")
+	w := httptest.NewRecorder()
+	h.TestProvider(w, req)
+	if w.Code != http.StatusBadRequest {
+		t.Errorf("status = %d; want 400", w.Code)
+	}
+}
+
+// TestTestProvider_DiscoveryFailureReturns200WithErrors pins the
+// failure-shape contract: discovery failure is a per-leg failure
+// surfaced in the response body's `errors` array, NOT a 5xx — the
+// GUI renders the per-check status row from the response.
+func TestTestProvider_DiscoveryFailureReturns200WithErrors(t *testing.T) {
+	o := &stubOIDCSvc{
+		testResult: &oidcsvc.TestDiscoveryResult{
+			DiscoverySucceeded: false,
+			JWKSReachable:      false,
+			Errors:             []string{"discovery fetch failed: connection refused"},
+		},
+	}
+	h, _, _, _, _, _ := newPhase5Handler(t, o, &stubSession{}, &stubBCLVerifier{})
+
+	body := strings.NewReader(`{"issuer_url":"https://broken.example.com"}`)
+	req := httptest.NewRequest(http.MethodPost, "/api/v1/auth/oidc/test", body)
+	req = withActor(req, "u-admin", "User")
+	w := httptest.NewRecorder()
+	h.TestProvider(w, req)
+	if w.Code != http.StatusOK {
+		t.Fatalf("status = %d; want 200 (per-leg failure rides in body); body=%s", w.Code, w.Body.String())
+	}
+	if !strings.Contains(w.Body.String(), `"discovery_succeeded":false`) {
+		t.Errorf("expected discovery_succeeded:false in body; got %s", w.Body.String())
+	}
+	if !strings.Contains(w.Body.String(), "connection refused") {
+		t.Errorf("expected error detail in body; got %s", w.Body.String())
+	}
+}