Fix source code bugs discovered during test coverage expansion

[Avery-Dunn]

Fixes 8 source code bugs discovered while expanding unit test coverage. These bugs range from copy-paste errors in validation to a field initialization order bug introduced when Lombok was removed from the project.

Bugs Fixed

1. AuthenticationResult field initialization order

Root cause: When Lombok was removed (commit 67d3131a, April 2025), @Getter(lazy = true) fields were incorrectly translated to eager field initializers. Java field initializers run before the constructor body, so derived fields (idTokenObject, account, tenantProfile) were always computed when their source fields (idToken, accountCacheEntity) were still null.

Impact:

• tenantProfile() always returned null (publicly visible via IAuthenticationResult)
• idTokenObject always null (internal only)
• account field always null, though the public getter re-called getAccount() and worked correctly

Fix: Moved derived field computation into the constructor body, after source fields are assigned. Added graceful error handling in getIdTokenObj() and getTenantProfile() so malformed ID tokens (e.g., from cache) produce null rather than throwing exceptions.

2. AuthenticationResult.getTenantProfile() latent NPE

Root cause: getTenantProfile() called getAccount().environment() without null-checking getAccount(). Previously masked by bug #1 (idToken was always null during init, so getTenantProfile() returned early).

Fix: Added null check for getAccount() before calling .environment().

3. Missing equals/hashCode on AuthenticationResult-related classes

Root cause: AuthenticationResultMetadata, IdToken, and TenantProfile used Object reference equality. Since AuthenticationResult.equals() compares these fields, two AuthenticationResult instances with equivalent but separately-constructed metadata/idToken/tenantProfile would fail equality checks.

Fix: Added proper equals() and hashCode() implementations to all three classes.

4. DeviceCodeFlowParameters validates wrong field

Location: DeviceCodeFlowParameters.java:118
Bug: validateNotNull("deviceCodeConsumer", scopes) — validates scopes instead of deviceCodeConsumer.
Fix: Changed to validateNotNull("deviceCodeConsumer", deviceCodeConsumer).

5. RefreshTokenParameters validates wrong field

Location: RefreshTokenParameters.java:116
Bug: validateNotNull("refreshToken", scopes) — same copy-paste error.
Fix: Changed to validateNotNull("refreshToken", refreshToken).

6. ErrorResponse.toJson() double writeStartObject

Location: ErrorResponse.java:67-68
Bug: Called writeStartObject() twice, causing IllegalStateException on any toJson() call.
Fix: Removed the duplicate call.

7. RequestedClaim.toJson() invalid JSON structure

Location: RequestedClaim.java:53
Bug: Called writeString(name) inside an object context, producing invalid JSON.
Fix: Changed to writeFieldName(name).

8. OidcDiscoveryResponse.toJson() missing issuer

Location: OidcDiscoveryResponse.java:49-50
Bug: toJson() did not include the issuer field, so fromJson() → toJson() round-trips lost data.
Fix: Added writeStringField("issuer", issuer).

Test Changes

Updated tests

• AuthenticationResultTest.java (40 tests, was 35 before this branch): Updated 3 derived-field tests from asserting null (documenting bug) to asserting non-null (correct behavior). Removed duplicate test. Added build_WithIdTokenButNullAccount_TenantProfileIsNull for the null-check fix. Added 3 AuthenticationResultMetadata equals/hashCode tests. Added metadata to parameterized equals provider.
• ParameterBuilderTest.java: Updated deviceCodeFlow and refreshToken validation tests from documenting wrong-field behavior to testing correct-field validation.
• ResponseParsingTest.java: Updated errorResponse_toJson and requestedClaim_toJson tests from assertThrows (documenting bug) to asserting correct JSON output. Updated oidcDiscoveryResponse_toJson to verify issuer is included.