PR #501 (FED-M2-11) added strict `new X509Certificate(certPem)` parsing
without falling back silently — but the existing test mocks were still
returning dummy strings, so 13+6 tests have been failing on `main` since
that merge with `error:0680007B:asn1 encoding routines::header too long`.
Also fixes a mock gap introduced by CRIT-2 in the same PR: the tx mock
did not have a `.returning()` method on the grant-activation update path,
causing 6 of the 13 failures with `TypeError: not a function`.
Add a test helper that generates a real self-signed EC P-256 cert via
@peculiar/x509 and use it in the EnrollmentService and CaService spec
mocks. Two variants:
- makeSelfSignedCert() plain cert for extractCertNotAfter
- makeMosaicIssuedCert(opts) cert with Mosaic OID extensions for CRIT-1
Production strictness is intentionally preserved.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
