YNX-1105c: cover auth nonce collision/rate limit failures

TASKLIST.md

@@ -1129,8 +1129,13 @@
   - PF-07: 已配对客户端重复配对保护
   - Edge Cases: 并发配对、过期清理验证
 
+- 已新增 `Yonexus.Server/tests/auth-failures.test.ts`
+  - AF-07: nonce collision 触发 re_pair_required
+  - AF-08: rate limit 触发 re_pair_required
+  - 覆盖 re_pair 后 secret 清理与 pairingStatus=revoked
+
 **待完成**
-- AF（Authentication Failures）测试套件
+- AF（Authentication Failures）剩余场景（stale/future timestamp、invalid signature 等）
 - RP（Re-pairing Triggers）测试套件
 - CF/HF/SR 边界场景测试
 

tests/failure-path/MATRIX.md

@@ -38,8 +38,8 @@ This document defines the systematic test coverage for pairing and authenticatio
 | AF-04 | Wrong secret | Client has outdated secret | `auth_failed(invalid_secret)` | ⬜ |
 | AF-05 | Stale timestamp | Proof timestamp >10s old | `auth_failed(stale_timestamp)` | ⬜ |
 | AF-06 | Future timestamp | Proof timestamp in future | `auth_failed(future_timestamp)` | ⬜ |
-| AF-07 | Nonce collision | Reused nonce within window | `auth_failed(nonce_collision)` → `re_pair_required` 🔴 | ⬜ |
-| AF-08 | Rate limited | >10 attempts in 10s | `auth_failed(rate_limited)` → `re_pair_required` 🔴 | ⬜ |
+| AF-07 | Nonce collision | Reused nonce within window | `auth_failed(nonce_collision)` → `re_pair_required` 🔴 | ✅ |
+| AF-08 | Rate limited | >10 attempts in 10s | `auth_failed(rate_limited)` → `re_pair_required` 🔴 | ✅ |
 | AF-09 | Wrong public key | Key doesn't match stored | `auth_failed(invalid_signature)` | ⬜ |
 | AF-10 | Malformed auth_request | Missing required fields | Protocol error | ⬜ |
 | AF-11 | Tampered proof | Modified signature | `auth_failed(invalid_signature)` | ⬜ |