feat: add get-url subcommands for discovery, jwks, and issuer

[MaxAnderson95]

Summary

Add three read-only subcommands that print a single URL to stdout, computed locally from the config — no network calls:

• jotsmith discovery get-url — prints the OIDC discovery document URL (<issuer>/<discovery_path>)
• jotsmith jwks get-url — prints the JWKS URL (<issuer>/<jwks_path>)
• jotsmith issuer get-url — prints the base issuer URL (config.Issuer, verbatim)

Motivation

When wiring up an OIDC-federation consumer (octo-sts trust policy, Vault JWT auth, AWS IAM OIDC, GCP WIF) you frequently need to paste one of these URLs into another config. Today the only way to get them is discovery show / jwks show (which print full JSON, not the URL) or eyeballing config show. A clean, scriptable one-URL-per-command surface makes these trivial to capture in shell:

ISS=$(jotsmith issuer get-url)
DISC=$(jotsmith discovery get-url)
JWKS=$(jotsmith jwks get-url)

Behavior

• Each command prints exactly one URL plus a trailing \n to stdout. Nothing else goes to stdout (consistent with the project's stdout-is-the-payload invariant for token mint). Logs/errors go to stderr.
• Purely local: read the config, compute the URL, print it. No HTTP, no Azure calls.
• URL construction:
  • issuer = config.Issuer (printed verbatim, no trailing-slash mangling beyond what's already canonicalized in config).
  • discovery URL = <issuer> + / + config.DiscoveryPath.
  • jwks URL = <issuer> + / + config.JwksPath.
• Join carefully so we never emit a double slash or a missing slash, regardless of whether issuer has a trailing / or the *_path has a leading /. The discovery doc's jwks_uri and these printed URLs must be byte-identical to what setup/doctor publish — the OIDC iss/jwks_uri matching is exact (see PRD gotcha on canonical issuer string).

Notes / design questions

• This introduces a new top-level noun, issuer. For now its only subcommand is get-url. Per AGENTS.md, add internal/cli/issuer.go and wire it into the root. discovery get-url and jwks get-url extend the existing discovery/jwks nouns alongside their show subcommands.
• get-url (kebab-case) is the proposed verb. Alternative spellings (url, show-url) were considered; get-url reads clearly and leaves room for sibling verbs later. Open to a different name if there's a stronger convention.
• These mirror the existing read-only show commands and inherit the global flags (--config, --log-level, --no-color).

Acceptance criteria

• jotsmith discovery get-url prints the discovery URL and only the URL to stdout.
• jotsmith jwks get-url prints the JWKS URL and only the URL to stdout.
• jotsmith issuer get-url prints config.Issuer and only that to stdout.
• No network or Azure calls are made by any of the three.
• URL joining is robust to trailing/leading slashes and matches the published jwks_uri exactly.
• Each command has a usage example in its Description so --help is self-sufficient.

Originally created in OpenCode session ID: ses_17af4d010ffeiUY2VCf49061Kj