Bundle H follow-up: fix Pass 3 test mock shape mismatches caught by CI

CI surfaced two real failures in the Pass 3 tests:

1. ObservabilityPage.test.tsx — tests 2 + 3 mocked getMetrics with only

   the uptime field, but ObservabilityPage.tsx:85 reads metrics.gauge

   .certificate_total. Test 2 silently 'passed' because the page error

   bailed out before any rendering took place — its assertions (no live

   <script>, __xss_pwned__ undefined) became vacuous; test 3 surfaced

   the actual TypeError. Fix: every getMetrics mock now returns the full

   MetricsResponse shape (gauge / counter / uptime) per src/api/types.ts

   :517 — sanity-checked against the actual TS interface.

2. CertificateDetailPage.test.tsx — the xssCert mock was missing

   updated_at, which CertificateDetailPage.tsx:605 reads through

   formatDateTime. formatDateTime tolerates undefined per utils.ts:6,

   so the page didn't throw, but the cert mock should mirror the real

   ManagedCertificate shape — added updated_at.

Both fixes are mock-shape corrections; no production code changes.

web/src/pages/CertificateDetailPage.test.tsx

@@ -66,6 +66,7 @@ const xssCert = {
   renewal_policy_id: 'rp-xss',
   expires_at: new Date(Date.now() + 30 * 86400000).toISOString(),
   created_at: new Date().toISOString(),
+  updated_at: new Date().toISOString(),
   not_before: new Date(Date.now() - 86400000).toISOString(),
   not_after: new Date(Date.now() + 30 * 86400000).toISOString(),
   serial_number: xssPayload,

web/src/pages/ObservabilityPage.test.tsx

@@ -52,7 +52,18 @@ describe('ObservabilityPage — render + XSS hardening (M-026 / M-029 Pass 3)',
 
   it('renders the page header when metrics + health resolve', async () => {
     vi.mocked(client.getMetrics).mockResolvedValue({
-      uptime: { uptime_seconds: 3600, server_started: new Date().toISOString() },
+      gauge: {
+        certificate_total: 0,
+        certificate_active: 0,
+        certificate_expiring_soon: 0,
+        certificate_expired: 0,
+        certificate_revoked: 0,
+        agent_total: 0,
+        agent_online: 0,
+        job_pending: 0,
+      },
+      counter: { job_completed_total: 0, job_failed_total: 0 },
+      uptime: { uptime_seconds: 3600, server_started: new Date().toISOString(), measured_at: new Date().toISOString() },
     } as never);
     vi.mocked(client.getHealth).mockResolvedValue({ status: 'ok' } as never);
     vi.mocked(client.getPrometheusMetrics).mockResolvedValue('# HELP up The current up state\nup 1\n' as never);
@@ -65,7 +76,18 @@ describe('ObservabilityPage — render + XSS hardening (M-026 / M-029 Pass 3)',
 
   it('does NOT execute <script> payloads in health.status / Prometheus text', async () => {
     vi.mocked(client.getMetrics).mockResolvedValue({
-      uptime: { uptime_seconds: 3600, server_started: new Date().toISOString() },
+      gauge: {
+        certificate_total: 0,
+        certificate_active: 0,
+        certificate_expiring_soon: 0,
+        certificate_expired: 0,
+        certificate_revoked: 0,
+        agent_total: 0,
+        agent_online: 0,
+        job_pending: 0,
+      },
+      counter: { job_completed_total: 0, job_failed_total: 0 },
+      uptime: { uptime_seconds: 3600, server_started: new Date().toISOString(), measured_at: new Date().toISOString() },
     } as never);
     vi.mocked(client.getHealth).mockResolvedValue({ status: xssPayload } as never);
     vi.mocked(client.getPrometheusMetrics).mockResolvedValue(xssPayload as never);
@@ -85,7 +107,18 @@ describe('ObservabilityPage — render + XSS hardening (M-026 / M-029 Pass 3)',
 
   it('renders the literal Prometheus payload as escaped text', async () => {
     vi.mocked(client.getMetrics).mockResolvedValue({
-      uptime: { uptime_seconds: 3600, server_started: new Date().toISOString() },
+      gauge: {
+        certificate_total: 0,
+        certificate_active: 0,
+        certificate_expiring_soon: 0,
+        certificate_expired: 0,
+        certificate_revoked: 0,
+        agent_total: 0,
+        agent_online: 0,
+        job_pending: 0,
+      },
+      counter: { job_completed_total: 0, job_failed_total: 0 },
+      uptime: { uptime_seconds: 3600, server_started: new Date().toISOString(), measured_at: new Date().toISOString() },
     } as never);
     vi.mocked(client.getHealth).mockResolvedValue({ status: 'ok' } as never);
     vi.mocked(client.getPrometheusMetrics).mockResolvedValue(xssPayload as never);