Add security invariant coverage for resource server, settings, and refresh tokens

[bymoye]

Summary

This PR continues the effective-security-coverage work from docs/coverage/2026-06-14-security-coverage-checkpoint.md.

Added meaningful invariant tests for:

• resource-server sender constraints:
  • exact mTLS cnf.x5t#S256 matching;
  • DPoP/mTLS binding mismatch rejection;
  • empty/absent cnf fail-closed behavior;
  • DPoP authorization scheme requiring a sender-constrained access token;
• settings/startup security policy:
  • production HTTPS issuers cannot disable secure cookies;
  • pairwise subject identifiers require stable secret material;
  • FAPI2 profiles cap auth-code TTL, force PAR, and force required DPoP nonces;
  • external signer command parsing preserves deterministic argv semantics;
• refresh-token lifecycle policy:
  • scope narrowing is exact and case-sensitive;
  • requested scope cannot expand original authorization;
  • holder-of-key confidential clients preserve mTLS-bound refresh tokens by policy;
  • public/shared-secret clients do not preserve refresh tokens merely because token cnf exists;
  • malformed refresh grants fail before storage lookup/token issuance and do not emit client-credential challenges.

Also added docs/coverage/2026-06-14-codex-security-invariants.md documenting the baseline inspected, tests added, exclusions, and validation limitation.

Coverage / Codecov config

No new files were excluded from coverage. Existing exclusions remain limited to generated schema/row DTOs, glue/wrappers, tests, benches, examples, and migrations. Protocol core, security core, configuration validation, token validation, repository state transitions, error mapping, resource-server verifier, DPoP, mTLS, PAR, JAR, JARM, and refresh-token rotation remain covered targets.

Validation

I could not run local validation in this execution environment:

• git clone https://github.com/bymoye/NazoAuth.git failed because DNS could not resolve github.com;
• rustc --version failed because the Rust toolchain is not installed in the container.

Therefore these required commands still need to run in CI or a Rust-enabled environment:

cargo fmt
cargo clippy --all-targets --all-features -- -D warnings
cargo test --all-features
cargo llvm-cov ...

The latest reliable checkpoint inspected before this PR recorded effective coverage at TOTAL LH=7234 LF=15514 46.63%; this PR is an incremental security-invariant coverage batch and does not claim a verified 100% coverage result.

[codecov]

Welcome to Codecov 🎉

Once you merge this PR into your default branch, you're all set! Codecov will compare coverage reports and display results in all future pull requests.

Thanks for integrating Codecov - We've got you covered ☂️