fix(setup): validate ISSUER_URL has scheme + strip trailing slash

A scheme-less issuer URL like `broker.litentry.org` was silently accepted
and propagated into BROKER_OIDC_ISSUER. The broker then emitted JWTs with
`iss: "broker.litentry.org"` (no `https://`), which AWS rejects at
AssumeRoleWithWebIdentity time and which causes the documented smoke test
`jq '.issuer == "https://broker.litentry.org"'` to print false.

Validate up front:
  • require https:// (or http:// with a warning — AWS won't accept it,
    but local dev might).
  • strip a trailing slash so BROKER_OIDC_ISSUER matches the JWT iss
    claim byte-for-byte.

Operators hitting the bad config in the wild: edit
/etc/systemd/system/agentkeys-broker.service so
Environment=BROKER_OIDC_ISSUER=https://<host>, daemon-reload, restart.
If you've already registered the OIDC provider on AWS with the wrong URL,
delete and recreate it.

Author: WildmetaAgent

scripts/setup-broker-host.sh

@@ -286,8 +286,16 @@ EOF
   fi
 fi
 
-# ─── Validate non-interactive inputs ─────────────────────────────────────────
+# ─── Validate inputs ─────────────────────────────────────────────────────────
 [[ -n "$ISSUER_URL" ]] || die "--issuer-url is required (e.g. https://broker.litentry.org). Drop --non-interactive for an interactive walk-through."
+case "$ISSUER_URL" in
+  https://*) ;;
+  http://*)  warn "issuer URL uses http:// — AWS IAM requires TLS; create-open-id-connect-provider will reject this. Continuing anyway."; ;;
+  *)         die "--issuer-url must start with https:// (got '$ISSUER_URL'). The bare hostname is not a valid OIDC issuer; AWS validates the iss claim byte-for-byte."; ;;
+esac
+# Strip trailing slash — BROKER_OIDC_ISSUER must match the JWT iss claim
+# byte-for-byte, and AWS rejects mismatches at AssumeRoleWithWebIdentity time.
+ISSUER_URL="${ISSUER_URL%/}"
 [[ -n "$ACCOUNT_ID" ]] || die "--account-id is required. Drop --non-interactive for an interactive walk-through."
 [[ -n "$CRED_MODE" ]]  || CRED_MODE="instance-profile"
 case "$CRED_MODE" in