/whoami

Mints an audience-bound OIDC token via the local /api/auth/api-token route, then calls https://api.smoke-test.os.wine-hero.co.uk/api/whoami cross-origin. Exercises the chassis CORS policy + tenant resolution.