TASK-079: drive nonce/opaque state machine in v2 digest-auth integ tests

Six v2 digest-auth integ tests (digest_auth[_wrong_pass],
digest_auth_with_ha1_{md5,sha256}[_wrong_pass], digest_user_cache_with_auth)
were previously observationally indistinguishable from static-challenge
pins because libcurl's CURLAUTH_DIGEST owned the nonce/opaque computation.
That hid the HA1-precomputed AC: libcurl always recomputes HA1 from the
cleartext password it was given, so "server validates against configured
HA1, not against re-derived MD5/SHA-256 of cleartext" was unobservable.

Add a header-only RFC 7616 client helper at test/integ/digest_client.hpp
with inline public-domain MD5 (RFC 1321) and SHA-256 (FIPS 180-4), a
WWW-Authenticate parser, and cleartext + precomputed-HA1 response-compute
paths. Pin the helper in test/unit/digest_client_self_test.cpp against
the FIPS canonical "abc"/empty vectors and the RFC 7616 §3.9.1 worked
example for both MD5 (8ca523f5...) and SHA-256 (753927fa...).

Convert each of the six tests to a two-round flow: round 1 captures the
challenge via CURLOPT_HEADERFUNCTION, round 2 ships a hand-built
`Authorization: Digest ...` header. Wrong-password variants now assert
401 on the SECOND request, not on the initial challenge. HA1 variants
sign with the configured 16/32-byte HA1 directly -- cleartext never
leaves the test, so a 200 response proves the server validates against
the configured HA1. The wrong-HA1 negative variants (signing with
md5/sha256("user:realm:totallywrong")) strengthen the proof.

Migrate digest_user_cache_resource from the legacy `unauthorized("Digest",
"testrealm", "FAIL")` static overload to the RFC 7616 digest_challenge
factory so the handshake can complete; digest_user_cache_with_auth now
asserts "USER:testuser" (reaching the cache-hit code path).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: etr

test/Makefile.am

@@ -26,7 +26,7 @@ LDADD += -lcurl
 
 AM_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/src/httpserver/ -DHTTPSERVER_COMPILATION
 METASOURCES = AUTO
-check_PROGRAMS = basic file_upload http_utils threaded nodelay string_utilities http_endpoint ban_system ws_start_stop authentication digest_challenge_format deferred http_resource http_response create_webserver create_webserver_explicit new_response_types daemon_info uri_log feature_unavailable header_hygiene_iovec header_hygiene iovec_entry http_method constants body http_response_sbo http_response_factories http_response_digest_factory http_response_move_sanitizer webserver_pimpl http_request_pimpl create_test_request http_request_arena http_request_unescape_arena http_request_const_getters http_request_tls_accessors http_request_operator_stream webserver_register_smartptr webserver_register_path_prefix webserver_on_methods webserver_route route_table lookup_pipeline route_table_concurrency routing_regression route_lookup_canonicalize auth_skip_normalize http_resource_allow_cache v2_dispatch_contract threadsafety_stress webserver_features webserver_ws_unavailable webserver_register_ws_smartptr webserver_dauth_unavailable consumer_fixture header_hygiene_hooks hook_api_shape hooks_no_firing hooks_accept_ctx_shape hooks_connection_lifecycle hooks_accept_decision_banned hooks_accept_decision_throwing hooks_body_chunk_ctx_shape hooks_request_received_short_circuit hooks_body_chunk_observes_progress hooks_body_chunk_short_circuit_no_leak hooks_before_handler_ctx_shape hooks_route_resolved_miss_and_hit hooks_before_handler_short_circuit hooks_alias_count hooks_alias_functional hooks_handler_exception_chain hooks_handler_exception_user_handler_throws_continues_chain hooks_handler_exception_fallback_to_hardcoded_500 hooks_handler_exception_slot hooks_response_sent_ctx_shape hooks_request_completed_ctx_shape hooks_after_handler_replaces_response hooks_after_handler_mutates_response_in_place hooks_response_sent_carries_status_bytes_timing hooks_request_completed_fires_on_early_failure hooks_log_access_alias_slot hooks_per_route_invalid_phase_throws hooks_per_route_order hooks_per_route_early_413_per_endpoint hooks_per_route_resource_destroyed_first hooks_per_route_concurrent_registration hooks_not_found_alias auth_handler_optional_signature no_v1_compat_shim cookie_header_sentinel cookie_render cookie_deprecation_sentinel http_response_cookie_wire http_request_cookies_parsed peer_address_to_string secure_zero_dce connection_state_sentinel connection_state_body_residue debug_dump_request_body_unset debug_dump_request_body_set littletest_skip_semantics
+check_PROGRAMS = basic file_upload http_utils threaded nodelay string_utilities http_endpoint ban_system ws_start_stop authentication digest_challenge_format deferred http_resource http_response create_webserver create_webserver_explicit new_response_types daemon_info uri_log feature_unavailable header_hygiene_iovec header_hygiene iovec_entry http_method constants body http_response_sbo http_response_factories http_response_digest_factory http_response_move_sanitizer webserver_pimpl http_request_pimpl create_test_request http_request_arena http_request_unescape_arena http_request_const_getters http_request_tls_accessors http_request_operator_stream webserver_register_smartptr webserver_register_path_prefix webserver_on_methods webserver_route route_table lookup_pipeline route_table_concurrency routing_regression route_lookup_canonicalize auth_skip_normalize http_resource_allow_cache v2_dispatch_contract threadsafety_stress webserver_features webserver_ws_unavailable webserver_register_ws_smartptr webserver_dauth_unavailable consumer_fixture header_hygiene_hooks hook_api_shape hooks_no_firing hooks_accept_ctx_shape hooks_connection_lifecycle hooks_accept_decision_banned hooks_accept_decision_throwing hooks_body_chunk_ctx_shape hooks_request_received_short_circuit hooks_body_chunk_observes_progress hooks_body_chunk_short_circuit_no_leak hooks_before_handler_ctx_shape hooks_route_resolved_miss_and_hit hooks_before_handler_short_circuit hooks_alias_count hooks_alias_functional hooks_handler_exception_chain hooks_handler_exception_user_handler_throws_continues_chain hooks_handler_exception_fallback_to_hardcoded_500 hooks_handler_exception_slot hooks_response_sent_ctx_shape hooks_request_completed_ctx_shape hooks_after_handler_replaces_response hooks_after_handler_mutates_response_in_place hooks_response_sent_carries_status_bytes_timing hooks_request_completed_fires_on_early_failure hooks_log_access_alias_slot hooks_per_route_invalid_phase_throws hooks_per_route_order hooks_per_route_early_413_per_endpoint hooks_per_route_resource_destroyed_first hooks_per_route_concurrent_registration hooks_not_found_alias auth_handler_optional_signature no_v1_compat_shim cookie_header_sentinel cookie_render cookie_deprecation_sentinel http_response_cookie_wire http_request_cookies_parsed peer_address_to_string secure_zero_dce connection_state_sentinel connection_state_body_residue debug_dump_request_body_unset debug_dump_request_body_set littletest_skip_semantics digest_client_self_test
 
 MOSTLYCLEANFILES = *.gcda *.gcno *.gcov
 
@@ -627,7 +627,15 @@ debug_dump_request_body_set_SOURCES = integ/debug_dump_request_body_set_test.cpp
 littletest_skip_semantics_SOURCES = unit/littletest_skip_semantics_test.cpp
 littletest_skip_semantics_LDADD =
 
-noinst_HEADERS = littletest.hpp integ/test_utils.hpp integ/curl_helpers.hpp integ/server_ready.hpp
+# TASK-079: pure-CPU self-test for the test-side digest-client helper
+# (test/integ/digest_client.hpp). Pins the FIPS MD5/SHA-256 vectors, the
+# RFC 7616 §3.3 parser shape, and the RFC 7616 §3.9.1 worked-example
+# response value so the helper's behaviour is trusted before any integ
+# test consumes it.
+digest_client_self_test_SOURCES = unit/digest_client_self_test.cpp
+digest_client_self_test_LDADD =
+
+noinst_HEADERS = littletest.hpp integ/test_utils.hpp integ/curl_helpers.hpp integ/server_ready.hpp integ/digest_client.hpp
 AM_CXXFLAGS += -Wall -fPIC -Wno-overloaded-virtual
 
 if COND_GCOV