fix nxapi hosted auth flow

[cesaregarza]

Summary

This PR fixes the hosted nxapi authentication flow so the scraper can actually use a JWKS-backed client end to end.

What changed

• added NXAPIClient support for generating fresh private_key_jwt client assertions from a PEM, jku, and kid
• threaded generated-assertion config through config-file and environment loading
• kept backward compatibility for legacy nxapi secret/env aliases
• hardened hosted nxapi request handling, including a one-time fallback when a stale X-znca-Client-Version is rejected
• updated the relevant tests and user-facing setup docs

Root cause

There were two separate runtime failures:

1. the scraper could not authenticate a JWKS-backed nxapi client because it only accepted a prebuilt assertion string and did not generate private_key_jwt assertions itself
2. after auth was fixed, the local config still carried a stale nxapi_client_version, which caused the hosted nxapi-znca-api service to reject the request with Invalid X-znca-Client-Version header

Validation

• pytest -q tests/auth/test_nso.py tests/auth/test_nxapi_client.py tests/auth/tokens/test_constructor.py tests/auth/tokens/test_manager.py tests/query/configuration/test_config.py tests/query/configuration/test_config_option_handler.py
• .venv/bin/pytest -q -m "not internet"
• live nxapi-auth token request returned 200
• live QueryHandler.from_config_file('.splatnet3_scraper').query('StageScheduleQuery') succeeded
• live QueryHandler.from_config_file('.splatnet3_scraper').query('XRankingQuery') succeeded

Follow-up

A separate follow-up PR can tighten style and alignment with existing hand-crafted main conventions without mixing that cleanup into the functional fix.

[sonarqubecloud]

Quality Gate passed

Issues
6 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud