Phase 3 integration tests and WebAuthn end-to-end validation

[helixclaw]

Summary

Write comprehensive integration tests validating the full WebAuthn approval flow: notification with link → web UI → WebAuthn assertion → grant issued → client injects.

Context

WebAuthn introduces browser-based interaction which is harder to test. Tests will use @simplewebauthn/server's testing utilities to simulate WebAuthn ceremonies without actual hardware.

Acceptance Criteria

• Integration test file: src/__tests__/integration/webauthn-flow.test.ts
• Test scenarios:
  • Happy path: enroll credential → create request → server sends notification with link → simulate WebAuthn assertion → grant issued → client verifies + injects
  • Unenrolled: attempt WebAuthn approval with no credentials → error
  • Invalid assertion: bad signature → rejection
  • Expired approval token: click link after 10 min → error page
  • WebAuthn required mode: Discord reaction alone → insufficient (grant not issued)
  • WebAuthn optional mode: Discord reaction → grant issued (backward compat)
  • Deny via web UI: click deny → request denied
  • Credential management: enroll → list → remove → verify removed
• Uses simulated WebAuthn with @simplewebauthn/server test helpers
• Uses in-process Fastify server
• All Phase 1 and Phase 2 tests continue to pass

Dependencies

• Implement WebAuthn-gated grant approval flow #69 (WebAuthn-gated approval flow)
• Update notification channels to include approval links #70 (notification links)

Scope Boundaries

• Does NOT test with real biometric hardware
• Does NOT test across actual browsers (server-side simulation only)