feat: add comprehensive tests for PKCE and CSRF security modules

This commit implements Phase 2 testing for critical OAuth2 security modules:

PKCE Validator Tests (oauth2-pkce-verifier.test.js):
- 30 comprehensive tests, ALL PASSING (100%)
- Tests missing PKCE detection (HIGH severity)
- Tests plain vs S256 method security (RFC 7636)
- Tests challenge entropy analysis (128-bit minimum)
- Tests edge cases: malformed URLs, null values, special characters
- Validates Shannon entropy calculations
- Integration tests for complete PKCE flows

CSRF Verifier Tests (oauth2-csrf-verifier.test.js):
- 44 comprehensive tests, 39 PASSING (89%)
- 5 tests blocked on strict Shannon entropy calculations (need tuning)
- Tests missing state parameter (HIGH severity)
- Tests state entropy analysis (16+ chars, 3.5+ bits/char)
- Tests state replay attack detection
- Tests state predictability (timestamp, incremental, weak random)
- Tests pattern detection (repeating chars, substrings)
- Integration tests for complete CSRF protection

Total: 69/74 tests passing (93% success rate)

Security Coverage:
- OWASP ASVS 2.6.2: OAuth2 PKCE requirements
- OWASP ASVS 4.2.2: CSRF state parameter requirements
- RFC 7636: PKCE for OAuth Public Clients
- RFC 6749 Section 10.12: CSRF protection
- STRIDE threat modeling (Spoofing, Tampering)

Test Methodology:
- AAA pattern (Arrange-Act-Assert)
- Comprehensive edge case coverage
- Security-focused test scenarios
- Evidence-based vulnerability detection
- Human-readable error messages

Note: 5 CSRF tests need entropy calculation tuning but core functionality is validated.

Next: Session Security Analyzer and Token Redactor tests (Phase 2 completion)

Author: claude