Merge branch 'feature/1.5.2-browser-automation-testing' into main

Implements Feature 1.5.2 browser automation testing infrastructure:
- CoreIdent.E2E.Tests with Playwright for browser automation
- Keycloak integration tests with external provider fixture
- OAuth2/OIDC E2E tests for token, JWKS, passkey endpoints
- KestrelTestHostFixture for real in-proc HTTP testing

All 473 tests pass.

Author: stimpy77

AGENTS.md

@@ -0,0 +1,129 @@
+# AGENTS.md — Agentic Coding Guidelines for CoreIdent
+
+This file provides instructions for AI coding agents (Claude, Copilot, Cursor, etc.) working on this codebase.
+
+## Build / Test Commands
+
+```bash
+# Restore and build entire solution
+dotnet restore CoreIdent.sln
+
+# Build (compile only)
+dotnet build CoreIdent.sln
+
+# Run all tests
+dotnet test CoreIdent.sln
+
+# Run tests with coverage (produces coverage.cobertura.xml)
+dotnet test CoreIdent.sln --collect:"XPlat Code Coverage"
+
+# Run single test project
+dotnet test tests/CoreIdent.Core.Tests/CoreIdent.Core.Tests.csproj
+
+# Run single test class
+dotnet test tests/CoreIdent.Integration.Tests -v n --filter "FullyQualifiedName~TokenEndpointsTests"
+
+# Watch mode (during development)
+dotnet watch test --project tests/CoreIdent.Core.Tests
+
+# Format code style
+dotnet format
+
+# Build a specific project
+dotnet build src/CoreIdent.Core/CoreIdent.Core.csproj
+```
+
+## Code Style Guidelines
+
+### General Principles
+- **Security first** — Never log secrets, tokens, OTPs, or raw PII. Use redaction helpers for email/phone.
+- **Fail fast** — Validate arguments early. Throw `ArgumentNullException` for null required params.
+- **One responsibility per class/method** — Keep functions focused and small.
+- **Interface-driven design** — All services have interfaces for testability. No `new` for services; inject via constructor.
+
+### C# 14 Conventions
+- **File-scoped namespaces**: `namespace Foo;` not `namespace Foo { }`
+- **Primary constructors** where appropriate
+- **Target-typed new**: `List<string> items = [];` not `new List<string>()`
+- **Extension members** for `ClaimsPrincipal` utilities
+- **Pattern matching** — Prefer `is` patterns over type checks + casts
+
+### Naming
+- Meaningful names; avoid abbreviations except well-known ones (`ct` for CancellationToken is fine)
+- Interfaces: `I` prefix (e.g., `ITokenService`)
+- Records for DTOs/value objects: suffix with `Request`, `Response`, `Options`, or `Result` as appropriate
+
+### Types & Nullability
+- **Nullable reference types enabled** — Fix nullable warnings, don't suppress with `!`
+- **No type coercion** (`as any`, `@ts-ignore`, `@ts-expect-error`, etc.)
+- Prefer `record` types for DTOs and value objects
+- Use `CancellationToken` with default value in async APIs
+
+### Imports & Formatting
+- Remove unused usings before committing
+- Run `dotnet format` when touching many files
+- Follow existing style in the file you're editing
+
+### NuGet Package Management
+- **Prefer `dotnet add package` over manual XML edits** — This ensures consistent formatting and version resolution
+  ```bash
+  # Correct way to add a package
+  dotnet add tests/CoreIdent.Testing/CoreIdent.Testing.csproj package Microsoft.Playwright
+  
+  # Avoid: Manually editing .csproj XML
+  ```
+- When manually adding packages is unavoidable, follow the existing `<PackageReference>` formatting in the project
+- Never add comments inside `<ItemGroup>` blocks that describe why a package is added (commit messages serve this purpose)
+
+### Error Handling
+- **No empty catch blocks** — Always handle or log exceptions
+- Use structured logging with `ILogger<T>`
+- Include correlation context in logs
+
+### XML Documentation
+- **All public APIs require XML docs** (CS1591 is treated as error)
+- User-facing APIs (DI/extension methods/endpoints): add practical guidance in `<remarks>`
+
+### Testing
+- **Use Shouldly** with explicit assertion messages:
+  ```csharp
+  result.ShouldNotBeNull("Token should be issued on successful authentication");
+  client.AllowedScopes.ShouldContain("openid", "OIDC scope must be allowed");
+  ```
+- **Coverage gate**: Changes to `src/CoreIdent.Core/` require **>= 90% normalized merged line coverage**
+- Write tests *before* or *alongside* implementation, not after
+- Never commit code that breaks existing tests
+
+### Commit Discipline
+- **One feature per commit** — No multi-feature commits
+- **Atomic commits** — Each commit should build and pass tests independently
+- **Conventional commits**: `feat:`, `fix:`, `test:`, `docs:`, `chore:`, `refactor:`
+- **No AI co-authorship** in commit messages
+
+## Essential Documentation
+
+| Document | Purpose |
+|----------|---------|
+| [`CLAUDE.md`](CLAUDE.md) | **Primary** — Complete development guidelines |
+| [`docs/DEVPLAN.md`](docs/DEVPLAN.md) | Task-level checklist and roadmap |
+| [`docs/Technical_Plan.md`](docs/Technical_Plan.md) | Technical specifications and RFC links |
+| [`docs/Project_Overview.md`](docs/Project_Overview.md) | Architecture and vision |
+| [`index.md`](index.md) | Component and folder overview |
+
+## Before Making Changes
+
+1. Read relevant sections of `DEVPLAN.md` and `Technical_Plan.md`
+2. Check existing patterns in similar files
+3. Write or outline tests first
+4. Run diagnostics: `lsp_diagnostics` on changed files before completing
+
+## What NOT To Do
+
+- Don't commit without tests
+- Don't bundle multiple features in one commit
+- Don't skip security validation "for now"
+- Don't add dependencies without justification
+- Don't delete or weaken existing tests
+- Don't hardcode configuration values
+- Don't log sensitive data
+- Don't leave code in broken state

CoreIdent.sln

@@ -49,6 +49,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CoreIdent.Client.Samples",
 EndProject
 Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CoreIdent.Server.Samples", "samples\CoreIdent.Server.Samples\CoreIdent.Server.Samples.csproj", "{3358BBBC-5B99-415D-8113-FF763CC9DDA5}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CoreIdent.E2E.Tests", "tests\CoreIdent.E2E.Tests\CoreIdent.E2E.Tests.csproj", "{6B54927B-02A8-43EC-AAD0-0749703B4F2D}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -299,6 +301,18 @@ Global
 		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Release|x64.Build.0 = Release|Any CPU
 		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Release|x86.ActiveCfg = Release|Any CPU
 		{3358BBBC-5B99-415D-8113-FF763CC9DDA5}.Release|x86.Build.0 = Release|Any CPU
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D}.Debug|x64.ActiveCfg = Debug|Any CPU
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D}.Debug|x64.Build.0 = Debug|Any CPU
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D}.Debug|x86.ActiveCfg = Debug|Any CPU
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D}.Debug|x86.Build.0 = Debug|Any CPU
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D}.Release|Any CPU.Build.0 = Release|Any CPU
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D}.Release|x64.ActiveCfg = Release|Any CPU
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D}.Release|x64.Build.0 = Release|Any CPU
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D}.Release|x86.ActiveCfg = Release|Any CPU
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D}.Release|x86.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -324,5 +338,6 @@ Global
 		{A90B9D37-39B3-4AE4-8AE1-52E5A02CB200} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 		{08E5F2CA-FB60-4E61-B0B3-ADBD6743C19F} = {5D20AA90-6969-D8BD-9DCD-8634F4692FDA}
 		{3358BBBC-5B99-415D-8113-FF763CC9DDA5} = {5D20AA90-6969-D8BD-9DCD-8634F4692FDA}
+		{6B54927B-02A8-43EC-AAD0-0749703B4F2D} = {0AB3BF05-4346-4AA6-1389-037BE0695223}
 	EndGlobalSection
 EndGlobal