fix(oauth-client): address Phase 3 code review feedback
CRITICAL:
- Wire diagnostic codes into discovery error types (FetchError, HttpStatusError, JsonParseError)
- Fix ClientCmd::run to use miette::Report::new(e) for proper diagnostic rendering
IMPORTANT:
- FakeHttpClient and FakeDnsResolver now panic on unseeded inputs to catch test-author mistakes
- Revert labeler_subscription snapshot timing from 1ms to normalized (pre-Phase 3 state)
- Add content-type-present test case for AC1.6 (https_not_json_with_content_type_produces_spec_violation_with_ct)
- Clean up _discovery_facts binding with clarifying TODO comment for Phase 4
MINOR:
- Add #[source_code]/#[label] to TargetParseError for better diagnostic spans
- Fix DID resolution leakage in transport error: transform DidResolutionFailed to "connection refused"
- Add #[derive(Debug)] to OauthClientReport newtype
All tests pass, snapshots updated to reflect diagnostic codes in output.
Labeler identity tests updated to seed PLC audit log for crypto stage validation.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>