Add sinon/rewire unit tests for OCSP verification

[claude]

Summary

• Adds performOCSPCheck() tests using rewire to mock the getCertStatus export from easy-ocsp (which has non-configurable property descriptors, so sinon.stub can't be used directly). Covers good, revoked (with and without reason), unknown, AbortError/timeout, network-error, timeout forwarding, and OCSP URL passthrough.
• Adds verifyOCSP() tests that clear the require cache per test and stub getCertificateCacheTable on verificationUtils so each test gets an isolated cache mock. Covers cache-hit good/revoked, cached flag (hit vs source-fetch), null-cache fail-closed/fail-open, and context passthrough to the cache get() call.

Existing tests (smoke-test style with invalid certs) are unchanged.

Test plan

• npm run test:unit:security — 325 passing (up from 310), 1 pending, 2 pre-existing failures unrelated to cert verification

Closes #119

🤖 Generated with Claude Code

[claude]

Reviewed; no blockers found.

[heskew]

@claude run npm run format:write to fix the prettier issues in unitTests/security/certificateVerification/ocspVerification.test.js, then commit + push. Format-only change, no other edits.

[heskew]

Closing + reopening to force CI retrigger — Claude's format-fix commit was authored by github-actions[bot], and GITHUB_TOKEN-pushed commits don't trigger downstream workflows (deliberate loop-prevention guard). Reopening will fire pull_request.reopened on the current HEAD.

[kriszyp]

I thought we were trying to reduce our usage of rewire (incompatible with TypeStrip), but whatever, hard to turn down more tests 🤷 .

[heskew]

I thought we were trying to reduce our usage of rewire (incompatible with TypeStrip), but whatever, hard to turn down more tests 🤷 .

Yep. I need to tell claude. It saw what had been used elsewhere and went with it. I'll have it re-try after some workflow update(s).

[heskew]

@kriszyp #491