E2E: enable 5 skipped OIDC bridge tests

[bordumb]

Problem

All 5 tests in tests/e2e/test_oidc_bridge.py are skipping. The auths-oidc-bridge binary is built by cargo build --workspace (it's a separate crate with its own [[bin]]), but three of the five tests contain hardcoded pytest.skip() calls because they were written before the E2E helpers for attestation extraction existed.

Current state (36 total E2E tests)

Result	Count	Notes
PASS	31
SKIP	5	All OIDC bridge

Skip reasons per test

Test	Skip reason	Fix needed
test_bridge_health	Binary not on PATH (only in target/debug/) or bridge fails to start	Ensure conftest._find_binary resolves it; check bridge startup env
test_token_exchange	Hardcoded pytest.skip("GAP: requires full attestation chain creation via CLI")	Use export_attestation() helper to create a real attestation, POST it to /api/v1/token
test_token_jwt_claims	Hardcoded pytest.skip("GAP: requires token exchange to produce JWT first")	Chain off test_token_exchange: decode the returned JWT with PyJWT, assert standard claims (iss, sub, aud, exp, capabilities)
test_token_invalid_attestation	Depends on bridge fixture starting	Should pass once bridge starts — already has the right test logic
test_token_expired_attestation	Hardcoded pytest.skip("GAP: requires attestation creation with past expiry")	Use device link --expires-in-days 0 (or a very short TTL), wait, then POST to bridge and assert rejection

What's needed

1. Bridge startup: The oidc_bridge fixture needs the binary to be discoverable. It's built to target/debug/auths-oidc-bridge which conftest._find_binary should find — verify this works and check if the bridge needs additional env vars (e.g., AUTHS_HOME) beyond AUTHS_OIDC_BIND_ADDR and AUTHS_OIDC_SIGNING_KEY_PATH.

2. Attestation helpers: The export_attestation() helper in tests/e2e/helpers/cli.py now extracts attestation JSON from the auths git repo. Use it to feed real attestation chains to the bridge's /api/v1/token endpoint.

3. Remove hardcoded skips: Replace the three pytest.skip("GAP: ...") calls with actual test implementations:

   • test_token_exchange: export attestation → POST to bridge → assert 200 + JWT returned
   • test_token_jwt_claims: decode JWT → assert claims match attestation data
   • test_token_expired_attestation: create short-lived attestation → POST → assert 4xx

4. Python deps: test_token_jwt_claims needs PyJWT — confirm it's in the E2E pyproject.toml dev dependencies.

Context

The export_attestation() helper and all other E2E test gaps were fixed in #29. The OIDC bridge tests are the only remaining skips.

Acceptance criteria

• All 5 OIDC bridge tests pass (or fail with real assertion errors, not skips)
• uv run pytest -v shows 36 passed, 0 skipped