feat(oauth-client): add metadata validation stage with all AC2 checks
Task 2 of Phase 4: Implement MetadataFacts, ClientKind, JwksSource enums,
and the Check enum with 15 variants. Add the run() function that validates
documents (skips checks for loopback clients with implicit metadata).
Key additions:
- MetadataFacts struct capturing client kind, URIs, JWKS source, DPoP binding, and scope
- ClientKind enum (WebConfidential, WebPublic, Native, Loopback)
- JwksSource enum (Inline, Uri)
- Check enum with all 15 checks defined per AC2 specification
- Check::id(), Check::summary() returning stable strings
- Check::pass() and Check::spec_violation() helpers
- CHECK_ALL const array preserving insertion order
- MetadataStageOutput with facts and results
- run() async function handling RawMetadata::Implicit and RawMetadata::Document
- RawDocumentDeserializationError with #[derive(Diagnostic)]
For Document metadata, validates deserialization and emits
RawDocumentDeserializes check result. Subsequent validation checks
(ClientIdMatches through ScopeGrammarValid) remain as skipped with a
TODO marker for later implementation phases.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>