test: add payment hardening conformance checks

[brendanjryan]

Summary

• Added a weak secret-key conformance vector for challenge ID generation.
• Added an oversized WWW-Authenticate request parsing vector.
• Updated bundled adapters and flow fixtures for the 32-byte server secret-key requirement.

Motivation

The conformance suite should catch SDKs that accept weak HMAC challenge secrets or parse oversized payment challenge request parameters without an early bound.

Key design considerations

• Keeps successful challenge ID vectors on 32-byte-or-stronger fixture secrets.
• Extends the vector runner to support expected generation failures without adding a new adapter operation.
• Updates the flow harness secret so future conformant SDKs can run the end-to-end flow suite.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1a75936346

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Update server verification fixtures too

This updates the flow harness to a ≥32-byte key, but make server-verify still feeds secretKey: "secret-key" from conformance/server-verification/cases.json into adapters' server.verify inputs, and those fixture challenge IDs are HMACs over that short key. In SDKs that enforce the same minimum during server verification, the suite will fail before reaching the intended valid/invalid-challenge assertions; please update those server-verification secrets and recompute their challenge IDs alongside the flow fixture key.

Useful? React with 👍 / 👎.