feat(headless-login): add jwks cache visibility and refresh flow

- replace inline headless jwks support with jwksUri-only validation
- add cached jwks refresh worker, manual refresh/revoke endpoints, and parsed key summaries
- expose allowed algorithms and key previews in DevFront with regression coverage

devfront/src/locales/en.toml

@@ -402,11 +402,19 @@ guide_step_1 = "Generate a key pair on the RP server and keep the private key on
 guide_step_2 = "Expose the public key from the RP backend through a JWKS (JSON Web Key Set) endpoint."
 guide_step_3 = "Enter a URL such as https://rp.example.com/.well-known/jwks.json in DevFront."
 headless_help = "You can design your own login UI within the application. While the UI is yours, the actual identity verification and security checks are handled in the background via Baron's API."
-jwks_inline_help = "Prefer the SSH-RSA public key format first. If you paste an 'ssh-rsa AAA...' key, Baron converts it to OIDC-standard JWKS (JSON) before saving."
 jwks_uri_help = "Enter the public key endpoint URL exposed by the RP backend. Example: https://rp.example.com/.well-known/jwks.json"
 request_object_alg_help = "Specify the JAR (Request Object) signing algorithm used for headless login."
-source_help = "Register the JWKS URI served by the RP so Baron can verify the public key."
+allowed_algorithms_help = "Headless login JAR verification accepts only the algorithms listed below."
 subtitle = "Manage the public key and headless login settings required for Headless Login evaluation."
+cache_empty = "No cached JWKS exists yet. Use Refresh to ask the backend to verify and cache the key."
+cache_help = "Shows the last JWKS verification state stored by the backend."
+cache_parsed_keys_help = "Raw JWKS stays hidden. Only parsed key metadata is shown here."
+cache_parsed_keys_empty = "No parsed JWKS keys are available yet."
+cache_refresh_failed = "Failed to refresh the JWKS cache: {{error}}"
+cache_refreshed = "JWKS cache refreshed."
+cache_revoke_confirm = "Deleting the JWKS cache means the backend must fetch and verify it again before the next use. Continue?"
+cache_revoke_failed = "Failed to delete the JWKS cache: {{error}}"
+cache_revoked = "JWKS cache deleted."
 
 [msg.dev.clients.general.public_key.validation]
 headless_requires_alg = "Headless login requires a Request Object Signing Algorithm."
@@ -1407,16 +1415,25 @@ guide_toggle = "JWKS URI Setup Guide"
 headless_disabled = "Headless Disabled"
 headless_enabled = "Headless Enabled"
 headless_toggle = "Headless Login"
-jwks_inline = "SSH-RSA or JWKS Public Key"
-jwks_inline_placeholder = "Paste an 'ssh-rsa AAA...' public key first. JWKS (JSON) is also accepted if needed."
 jwks_uri = "JWKS URI"
 jwks_uri_placeholder = "https://rp.example.com/.well-known/jwks.json"
 request_object_alg = "Request Object Signing Algorithm"
 request_object_alg_placeholder = "RS256"
-source = "Public Key Source"
-source_uri = "JWKS URI"
+allowed_algorithms = "Allowed Algorithms"
 title = "Public Key Registration"
 validation_title = "Check before saving"
+cache_error = "Last Error"
+cache_cached_at = "Cached At"
+cache_expires_at = "Expires At"
+cache_failures = "Consecutive Failures"
+cache_kids = "Cached KIDs"
+cache_last_checked_at = "Last Checked"
+cache_last_success = "Last Successful Verification"
+cache_parsed_keys = "Parsed Keys"
+cache_parsed_key_n = "n Preview"
+cache_status = "Status"
+cache_uri = "JWKS URI"
+revoke_cache = "Revoke Cache"
 
 [ui.dev.clients.help]
 docs_body = "Includes PKCE, client_secret_basic, redirect URI validation tips."

devfront/src/locales/ko.toml

@@ -402,18 +402,25 @@ guide_step_1 = "RP 서버에서 key pair를 생성하고 private key는 RP backe
 guide_step_2 = "RP backend가 public key를 JWKS(JSON Web Key Set) 형태로 제공하는 endpoint를 준비합니다."
 guide_step_3 = "예: https://rp.example.com/.well-known/jwks.json 같은 URL을 DevFront에 입력합니다."
 headless_help = "애플리케이션 고유의 디자인으로 로그인 화면을 구성할 수 있습니다. 실제 아이디/비밀번호 확인 및 보안 검증 로직은 Baron API를 통해 백그라운드에서 처리됩니다."
-jwks_inline_help = "SSH-RSA 공개키 형식을 우선 권장합니다. 'ssh-rsa AAA...' 형식으로 입력하면 Baron이 OIDC 표준인 JWKS(JSON)로 자동 변환하여 저장합니다."
 jwks_uri_help = "RP backend가 제공하는 공개키 endpoint URL을 입력하세요. 예: https://rp.example.com/.well-known/jwks.json"
 request_object_alg_help = "Headless Login을 사용할 때 JAR(Request Object) 서명 알고리즘을 명시합니다."
-source_help = "애플리케이션의 공개키(SSH-RSA)를 직접 등록하거나, 운영 환경이라면 JWKS URI를 통해 자동으로 검증할 수 있습니다."
+allowed_algorithms_help = "Headless Login JAR 검증은 아래 알고리즘만 허용합니다."
 subtitle = "Headless Login 판정에 필요한 공개키와 관련 설정을 관리합니다."
+cache_empty = "아직 캐시된 JWKS가 없습니다. Refresh를 눌러 백엔드가 공개키를 검증하고 캐시하도록 요청하세요."
+cache_help = "백엔드가 저장한 마지막 JWKS 검증 상태를 보여줍니다."
+cache_parsed_keys_help = "원본 JWKS 전체는 숨기고, 파싱된 키 메타데이터만 보여줍니다."
+cache_parsed_keys_empty = "아직 파싱된 JWKS 키가 없습니다."
+cache_refresh_failed = "JWKS 캐시 새로고침에 실패했습니다: {{error}}"
+cache_refreshed = "JWKS 캐시를 새로 고쳤습니다."
+cache_revoke_confirm = "JWKS 캐시를 삭제하면 다음 사용 전에 백엔드가 다시 가져와 검증해야 합니다. 계속할까요?"
+cache_revoke_failed = "JWKS 캐시 삭제에 실패했습니다: {{error}}"
+cache_revoked = "JWKS 캐시를 삭제했습니다."
 
 [msg.dev.clients.general.public_key.validation]
 headless_requires_alg = "Headless Login을 사용하려면 Request Object Signing Algorithm을 입력해야 합니다."
 headless_requires_private_key_jwt = "Headless Login을 사용하려면 token endpoint auth method가 private_key_jwt여야 합니다."
 headless_requires_public_key = "Headless Login을 사용하려면 JWKS URI가 필요합니다."
 invalid_jwks_uri = "JWKS URI 형식이 올바르지 않습니다."
-missing_jwks_inline = "공개키(SSH-RSA 또는 JWKS)를 입력해야 합니다."
 private_key_jwt_requires_public_key = "서명 키 기반 인증을 사용하려면 JWKS URI가 필요합니다."
 
 [msg.dev.clients.help]
@@ -1407,16 +1414,25 @@ guide_toggle = "JWKS URI 준비 가이드"
 headless_disabled = "Headless Disabled"
 headless_enabled = "Headless Enabled"
 headless_toggle = "Headless Login"
-jwks_inline = "SSH-RSA 또는 JWKS 공개키"
-jwks_inline_placeholder = "'ssh-rsa AAA...' 형식의 공개키를 먼저 붙여넣으세요. 필요하면 JWKS (JSON)도 입력할 수 있습니다."
 jwks_uri = "JWKS URI"
 jwks_uri_placeholder = "https://rp.example.com/.well-known/jwks.json"
 request_object_alg = "Request Object Signing Algorithm"
 request_object_alg_placeholder = "RS256"
-source = "Public Key Source"
-source_uri = "JWKS URI"
+allowed_algorithms = "허용 알고리즘"
 title = "공개키 등록"
 validation_title = "저장 전 확인 필요"
+cache_error = "마지막 오류"
+cache_cached_at = "캐시 시각"
+cache_expires_at = "만료 시각"
+cache_failures = "연속 실패 횟수"
+cache_kids = "캐시된 KID"
+cache_last_checked_at = "마지막 확인"
+cache_last_success = "마지막 성공 검증"
+cache_parsed_keys = "파싱된 키"
+cache_parsed_key_n = "n 미리보기"
+cache_status = "상태"
+cache_uri = "JWKS URI"
+revoke_cache = "캐시 삭제"
 
 [ui.dev.clients.help]
 docs_body = "Includes PKCE, client_secret_basic, redirect URI validation tips."

devfront/src/locales/template.toml

@@ -402,11 +402,19 @@ guide_step_1 = ""
 guide_step_2 = ""
 guide_step_3 = ""
 headless_help = ""
-jwks_inline_help = ""
 jwks_uri_help = ""
 request_object_alg_help = ""
-source_help = ""
+allowed_algorithms_help = ""
 subtitle = ""
+cache_empty = ""
+cache_help = ""
+cache_parsed_keys_help = ""
+cache_parsed_keys_empty = ""
+cache_refresh_failed = ""
+cache_refreshed = ""
+cache_revoke_confirm = ""
+cache_revoke_failed = ""
+cache_revoked = ""
 
 [msg.dev.clients.general.public_key.validation]
 headless_requires_alg = ""
@@ -1406,16 +1414,25 @@ guide_toggle = ""
 headless_disabled = ""
 headless_enabled = ""
 headless_toggle = ""
-jwks_inline = ""
-jwks_inline_placeholder = ""
 jwks_uri = ""
 jwks_uri_placeholder = ""
 request_object_alg = ""
 request_object_alg_placeholder = ""
-source = ""
-source_uri = ""
+allowed_algorithms = ""
 title = ""
 validation_title = ""
+cache_error = ""
+cache_cached_at = ""
+cache_expires_at = ""
+cache_failures = ""
+cache_kids = ""
+cache_last_checked_at = ""
+cache_last_success = ""
+cache_parsed_keys = ""
+cache_parsed_key_n = ""
+cache_status = ""
+cache_uri = ""
+revoke_cache = ""
 
 [ui.dev.clients.help]
 docs_body = ""