JWT response for OAuth 2.0 Token Introspection (RFC 9701).

Builds the signed JWT an authorization server returns from its introspection endpoint (RFC 7662) when the caller requests application/token-introspection+jwt, giving the introspection response integrity and non-repudiation (FAPI 2.0 Message Signing §5.5).

This is conn-free core: it turns the issuer/keystore on the Attesto.Config, the caller the response is addressed to, and the RFC 7662 introspection response map into a compact JWS. The transport layer (the introspection endpoint) decides - by content negotiation - whether to return the plain JSON response or this signed JWT; nothing here touches HTTP.

JWT claims (RFC 9701 §5)

• iss - REQUIRED, the authorization server's issuer identifier.
• aud - REQUIRED, the entity that requested the introspection (the authenticated client_id).
• iat - REQUIRED, the issuance time.
• token_introspection - REQUIRED, a JSON object that is the RFC 7662 introspection response (active plus, when active, the token's claims).

The JOSE header typ is fixed to "token-introspection+jwt" (RFC 9701 §5), the explicit type that distinguishes a signed introspection response from any other JWT. Signing mirrors Attesto.IDToken / Attesto.JARM: the keystore's current signing key and algorithm, with the kid in the header, signed through Attesto.JWS so the algorithm is pinned (never none).