Add durable audit sink, session JWT tests, and Helm chart

[haasonsaas]

Context

ASB is the most security-sensitive service in the platform (privileged credential issuance with OIDC attestation) but has critical operational and testing gaps.

Problems

In-memory audit sink (issue #22)

internal/bootstrap/service.go line 114: auditSink := auditmemory.NewSink(). Every audit event (session creation, grant issuance, artifact unwrap, policy decision, approval transition) is lost on pod restart. For a service that handles privileged credential issuance, there is zero durable audit trail in production.

Session JWT manager is untested

internal/crypto/sessionjwt/manager.go is the most security-sensitive path — it signs and verifies session JWTs that gate agent sessions. No test file exists. No tests for:

• Expired tokens
• Algorithm confusion (RS256 vs EdDSA)
• Missing sid/tenant_id claims
• Tampered payloads

OIDC verifier has minimal tests

Only 2 tests; no coverage for:

• allowedSubjectPrefixes=[] (bypasses prefix check entirely)
• Expired tokens
• Wrong algorithm
• nbf in the future

No Helm chart (issue #21)

No standardized k8s manifests, resource limits, health probes, PDB, or secrets management.

Requirements

• Implement durable audit sink backed by shared audit gRPC service (closes Add durable audit pipeline with guaranteed delivery #22)
• Add retry/buffer for audit events (don't lose events if audit service is temporarily unavailable)
• Add comprehensive sessionjwt tests: expired, algorithm confusion, missing claims, tampered payload, clock skew
• Add OIDC verifier boundary tests: empty allowed prefixes, expired, wrong algorithm, nbf in future
• Add toolregistry unit tests (currently only tested indirectly via service_test.go)
• Create Helm chart with: resource limits, liveness/readiness/startup probes, PDB, secrets templating (closes Create Kubernetes deployment manifests and Helm chart #21)
• Add circuit breaker on GitHub and VaultDB connector operations in the grant issuance path
• Add gosec + golangci-lint to CI workflow

[haasonsaas]

Taking a first bounded slice of #61 on current main, scoped to the missing security-test coverage only.

The issue text is a bit stale now — sessionjwt already has a baseline test file — so this slice is specifically for the remaining gaps:

• sessionjwt edge cases still missing from coverage (expired token, wrong algorithm, tampered token, missing required claims variants)
• OIDC verifier boundary cases still missing from coverage (empty allowed prefixes, expired token, wrong algorithm, nbf in the future)

I’m not mixing in the durable audit sink, Helm chart, or connector hardening work in this PR.

[haasonsaas]

Claimed and shipped a first bounded slice for this issue in draft PR #67: #67

Scope of this slice:

• expanded sessionjwt edge-case coverage
• added OIDC verifier boundary/security tests
• hardened the verifier to reject mismatched signing methods for the configured key type

Local validation run:

• go test ./internal/authn/oidc ./internal/crypto/sessionjwt -count=1
• go test ./... -count=1
• golangci-lint on the touched packages

I left the broader audit-sink / Helm / connector follow-up work untouched, since that is a larger slice than this PR.

[haasonsaas]

Taking a second bounded slice of #61 on current main: add direct toolregistry unit coverage. This is intentionally narrow — validating Put/Get behavior and copy semantics in the registry package itself, without mixing in the larger audit-sink or Helm work.

[haasonsaas]

Opened the second #61 slice in draft PR #68: #68

This slice is intentionally narrow:

• add direct internal/authz/toolregistry unit coverage
• cover required-field validation, not-found lookups, overwrite behavior, and returned-copy semantics
• keep the change inside the registry package rather than relying only on indirect coverage through internal/app

Validation run locally:

• go test ./internal/authz/toolregistry -count=1
• go test ./... -count=1
• GOTOOLCHAIN=go1.26.0 go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.3 run ./internal/authz/toolregistry ./internal/app
• git diff --check