Harden the custom-tags feature against misuse and
misconfiguration:
- Validate input is a JSON object (reject arrays, primitives, null)
- Enforce STS tag constraints: key length (128), value length (256),
allowed characters
- Reject nested object/array values that would silently stringify to
'[object Object]'
- Block overriding default session tags (GitHub, Repository,
Workflow, etc.)
- Enforce 50-tag session limit
- Warn when custom-tags used with OIDC or web identity
- Fix missing await on helpers test assertion
- Remove unused CUSTOM_TAGS_JSON_INPUTS fixture
- Normalize test mocking to vi.mocked() pattern
d05a2190d4