fix(restheart-mongo): pin JWT key + correct globalNoise format for deterministic replay

Two record/replay determinism fixes the full keploy/enterprise compat
matrix needs to go green:

1) RHO `/jwtConfigProvider/key` pinned to a fixed string. Default is
   `key: null` which makes RESTHeart auto-generate a random HS256 secret
   per container start. Recorded JWT bearers carry an HS256 signature
   over the payload using that secret, so a fresh-container replay phase
   rejects the recorded bearer with 401 even though --freezeTime keeps
   `exp` valid. Pinning the secret keeps the bearer signature verifiable
   across record→replay container restarts.

2) keploy.yml.template rewritten to use NESTED globalNoise format
   (`body: { field: [] }`) instead of flat dotted keys (`body.field: []`).
   Keploy's matcher reads `globalNoise.global` as map[section][field]regex
   and treats dotted keys as literal outer keys, never matching the body
   section. Verified by walking pkg/matcher/http/match.go and the
   employee-manager sample's commented example. Fields added:
   header.{Date, Content-Length, Auth-Token},
   body.{_etag, _oid, _id, lastModified, client_ip, latencyMs, access_token}.

Validated locally with all three matrix cells (record-stable-replay-pr,
record-pr-replay-pr, record-pr-replay-stable) — each reaches 296/296
PASSED with these two changes plus the lane-side --port and --freezeTime
flags already in keploy/enterprise#1889.

Author: AkashKumar7902

restheart-mongo/docker-compose.yml

@@ -15,11 +15,19 @@ services:
       # RHO is RESTHeart's runtime config-override syntax:
       #   key->value  pairs separated by ';'
       # We override the default mongo URL (which the upstream image
-      # points at host.docker.internal — irrelevant in compose) AND
-      # explicitly bind /http-listener/host to 0.0.0.0; without that
-      # second override the upstream image binds to localhost and is
-      # unreachable from the host port mapping.
-      RHO: '/mclient/connection-string->"mongodb://${RESTHEART_MONGO_IP:-172.36.0.10}:27017";/http-listener/host->"0.0.0.0";/core/log-level->"INFO"'
+      # points at host.docker.internal — irrelevant in compose),
+      # explicitly bind /http-listener/host to 0.0.0.0 (without it
+      # the upstream image binds localhost and is unreachable from
+      # the host port mapping), AND pin /jwtConfigProvider/key to
+      # a fixed secret. The default `key: null` makes RESTHeart
+      # generate a fresh random HS256 secret on every container
+      # start. Recorded JWT bearers carry an HS256 signature over
+      # the payload using that secret, so a fresh-container replay
+      # phase rejects the recorded bearer with 401 even though
+      # --freezeTime keeps `exp` valid. Pinning the secret keeps
+      # the bearer signature verifiable across record→replay
+      # container restarts (deterministic key, deterministic JWT).
+      RHO: '/mclient/connection-string->"mongodb://${RESTHEART_MONGO_IP:-172.36.0.10}:27017";/http-listener/host->"0.0.0.0";/core/log-level->"INFO";/jwtConfigProvider/key->"keploy-fixed-jwt-secret-for-deterministic-recordings"'
     depends_on:
       mongo:
         condition: service_healthy

restheart-mongo/keploy.yml.template

@@ -1,21 +1,54 @@
 # keploy.yml template for the restheart-mongo sample.
 #
-# globalNoise covers fields whose value is non-deterministic
-# across record/replay:
+# globalNoise.global is consumed at replay-time as a `body` /
+# `header` map of field-name → regex array. Keploy's matcher
+# expects a NESTED structure (top-level keys are the response
+# section "body" / "header"; inner keys are the field names).
+# Flat dotted-keys like `body.field: []` are not unflattened by
+# the parser — they end up as outer keys "body.field" and never
+# match the body section, so the noise is silently ignored.
 #
-#   header.Date                    runtime-stamped
-#   body._etag                     RESTHeart auto-stamped on each
-#                                  document; changes per write
-#   body._oid / body._id           server-generated ObjectIds
-#                                  (when not set by client)
-#   body.lastModified              auto-now timestamp
+# Fields covered here:
+#
+#   header.Date / header.Content-Length
+#     Runtime-stamped; Content-Length is downstream-of body.client_ip
+#     on /ping (length changes when the reflected client_ip differs
+#     in byte width).
+#   body._etag / body._oid / body._id
+#     RESTHeart auto-stamped on each document; ObjectIds and ETag
+#     change per write.
+#   body.lastModified
+#     Auto-now timestamp.
+#   body.client_ip
+#     RESTHeart's /ping echoes the requesting client IP. Differs
+#     between host-driven record (loopback) and docker-bridge
+#     replay (gateway). Time-freeze can't help; this is
+#     network-derived.
+#   body.latencyMs
+#     /health/db reports a freshly measured DB ping duration; varies
+#     per request even with time freeze (the duration is computed
+#     end-start across two clock reads).
+#   header.Auth-Token / body.access_token
+#     RESTHeart's /token endpoint mints a JWT with `exp` and `jti`
+#     (random UUID) on every call. Time-freeze pins exp, but jti is
+#     a SecureRandom UUID and the HS256 signature is a function of
+#     the full payload, so tokens never match byte-for-byte across
+#     record/replay.
 #
 # Centralised here so a future RESTHeart version that adds another
 # auto-stamped field is one edit, not a fan-out across lane scripts.
 test:
   globalNoise:
     global:
-      header.Date: []
-      body._etag: []
-      body._oid: []
-      body.lastModified: []
+      header:
+        Date: []
+        Content-Length: []
+        Auth-Token: []
+      body:
+        _etag: []
+        _oid: []
+        _id: []
+        lastModified: []
+        client_ip: []
+        latencyMs: []
+        access_token: []