Add tests for supply-chain verification endpoints and platform claim flows

[bordumb]

Problem

We shipped significant new functionality without tests:

Backend (auths-cloud/crates/auths-registry-server)

• GET /v1/packages/:eco/:name/versions — version-level signing data
• GET /v1/packages/:eco/:name/health — signing continuity / gap detection
• GET /v1/badges/:eco/:name — SVG badge with health status
• GET /v1/packages/:eco/:name/timeline — machine-readable timeline
• GET /v1/packages/top-unsigned — leaderboard endpoint
• verify_npm_token_proof() — npm token + signature verification
• verify_pypi_claim_proof() — PyPI signed claim verification
• Proof dispatch logic in add_platform_claim() (npm-token: / pypi-claim: / gist prefix routing)
• Namespace claim rejection without verified platform claim (validation.rs)
• Input validation: validate_ecosystem() and validate_package_name()

Backend (auths/crates)

• resolve_verified_platform_context() in auths-infra-http — fetches verified claims from registry
• claim_npm_identity() in auths-sdk — npm claim workflow
• claim_pypi_identity() in auths-sdk — PyPI claim workflow
• HttpNpmAuthProvider::verify_token() — npm whoami verification
• Namespace claim security: CLI no longer accepts --github-username flag

Frontend (auths-hub)

• signing-health-card.tsx — 5 status variants
• signature-timeline.tsx — gap detection visualization
• badge-embed.tsx — copy-paste snippets
• platform-passport.tsx — verified/ghost card states
• package-client.tsx — full page integration with health, timeline, badge
• dashboard-client.tsx — consolidated home/explore with leaderboard
• fetchPackageHealth(), fetchPackageVersions(), fetchTopUnsigned() — API functions
• usePackageHealth(), usePackageVersions(), useTopUnsigned() — React Query hooks
• Global search namespace matching

Priority test cases

P1 — security-critical:

• Namespace claim rejected when no verified platform claim exists
• validate_ecosystem() rejects unknown ecosystems (returns 400)
• validate_package_name() rejects path traversal attempts
• verify_npm_token_proof() rejects mismatched username/token
• verify_pypi_claim_proof() rejects invalid Ed25519 signatures
• verify_pypi_claim_proof() rejects claim DID mismatch
• Proof dispatch correctly routes npm-token: / pypi-claim: / gist prefixes

P2 — correctness:

• Health endpoint: signature_gap detected when unsigned version follows signed version
• Health endpoint: partially_signed only when all unsigned versions predate signed ones
• Health endpoint: all_signed when every version has valid signer
• Health endpoint: unsigned when zero attestations
• Versions endpoint: version extracted from package_name via split_part
• Versions endpoint: cursor-based pagination
• Badge SVG: correct colors for each health status
• Badge SVG: XML escaping prevents injection
• Top-unsigned endpoint: filters by ecosystem, sorted by downloads

P3 — frontend:

• Health card renders all 5 status variants
• Timeline shows red tint for unsigned-after-signed rows
• Badge embed hidden when no releases
• Platform passport shows ghost cards for unclaimed platforms

Test patterns to follow

Backend: auths-cloud/crates/auths-registry-server/tests/cases/ — add supply_chain.rs module
SDK: auths/crates/auths-sdk/tests/ — add platform claim workflow tests
Frontend: auths-hub/apps/web/src/ — vitest component tests (none exist yet, need test infrastructure)

Existing test infrastructure

• Backend: tests/integration.rs with test_state() helper, app.oneshot() pattern
• SDK: cargo nextest run -p auths-sdk
• Frontend: pnpm --filter @auths/hub exec vitest run (vitest configured but no component tests)