feat(provider): support for token exchange

[grs]

Summary

This PR adds the ability to specify token_exchange instead of a simple token_grant in a provider profile. As with the existing token grants, the token exchange is initiated by the supervisor proxy. In the case of an exchange however it requires a subject token that has the supervisor clients id in the audience. To get this the supervisor first requests a token from the gateway. The gateway does the first exchange, using the identified credential in a provider as the subject and requesting the audience needed for the supervisor (which is based on the supervisors SPIFFE ID). The token from that exchange is then returned to the supervisor which uses it as the subject for a further exchange. The resulting token than has the subject of the original provider credential but the sandbox (as identified by its SPIFFE ID) as the authorized party. An option was also added to the CLI for provider create|update, allowing the current OIDC token to be stored.

Related Issue

Changes

• Added token_exchange as a provider token grant mode alongside client_credentials.
• Extended provider profiles/protobuf with subject-token metadata, requested token type, and SPIFFE JWT-SVID settings.
• Added gateway-side subject-token exchange support for sandbox-scoped dynamic credentials.
• Added shared SPIFFE/JWT-SVID helpers and gateway SPIFFE Workload API Helm wiring.
• Updated CLI option to store current OIDC token.

Testing

• mise run pre-commit passes
• Unit tests added/updated
• E2E tests added/updated (if applicable)
• Manual tests of token exchange, including with updated token, as well as of the original simple token grant.

Checklist

• Follows Conventional Commits
• Commits are signed off (DCO)
• Architecture docs updated (if applicable)

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.