Wire supported domains into doctor

[jmcte]

Summary

• Adds supportedDomains to the persisted APW config shape and preserves it across config rewrites.
• Makes apw doctor read configured domains and validate their AASA responses, while retaining APW_AASA_DOMAINS as a CI/manual override.
• Keeps doctor domain discovery non-destructive: malformed user config is preserved while supportedDomains are read with a best-effort parse.
• Rejects AASA responses that redirect, are not served as application/json, or omit a non-empty webcredentials.apps array.
• Updates the domain expansion playbook and adds unit plus CLI-level regressions for configured-domain validation.

Closes #8.

Verification

• cargo fmt --manifest-path rust/Cargo.toml -- --check
• cargo clippy --manifest-path rust/Cargo.toml --all-targets -- -D warnings
• cargo test --manifest-path rust/Cargo.toml doctor::tests::associated_domains_check_preserves_invalid_config_when_env_unset -- --nocapture
• cargo test --manifest-path rust/Cargo.toml utils::tests::supported_domain_probe_read_preserves_invalid_user_config -- --nocapture
• cargo test --manifest-path rust/Cargo.toml doctor::tests -- --nocapture
• cargo test --manifest-path rust/Cargo.toml --test security_regressions doctor_ci_reports_unreachable_supported_domain_from_config -- --nocapture
• cargo test --manifest-path rust/Cargo.toml --test security_regressions
• bash scripts/ci/run-fast-checks.sh
• git diff --check

Notes

• This keeps entitlement expansion as a signing/release step: config can narrow the active domain set, but the app still cannot return credentials for domains missing from the signed Associated Domains entitlement.
• Mutation testing / CRAP indicator coverage remains in the dedicated quality PR; this PR adds issue-specific doctor and security-regression coverage.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: d3f3598104

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Avoid clearing user config during doctor domain discovery

configured_associated_domains() now reads supportedDomains via read_config_file_or_empty(), which internally calls read_config_file(). That read path invokes clear_config() on several validation errors (for example malformed JSON/schema/host/port), so a diagnostic apw doctor run can now delete ~/.apw/config.json (and potentially keychain-backed secret metadata) instead of remaining read-only. This is a regression from the previous env-only path and can cause data loss when users run doctor specifically to troubleshoot config problems.

Useful? React with 👍 / 👎.