fix(e2e): unblock two auth-matrix canary tests

Two distinct, pre-existing test bugs in tests/e2e/scenarios/test_v2_auth_oauth_matrix.py
that the newly-enabled live-canary PR workflow exposed:

1. test_wasm_channel_oauth_roundtrip: looked up the channel as
   "gmail-channel" but the backend canonicalizes extension identities
   by folding hyphens to underscores at ExtensionName construction
   (.claude/rules/types.md). The /api/extensions list therefore returns
   "gmail_channel"; switch the assertion and the setup URL accordingly.

2. test_wasm_tool_oauth_refresh_on_demand: OAuth refresh hits the mock
   proxy at http://127.0.0.1:<port>, but validate_oauth_proxy_url
   refuses loopback unless IRONCLAW_OAUTH_PROXY_ALLOW_LOOPBACK=1 is
   set. The env var is gated to cfg(any(test, debug_assertions)) so
   release binaries still reject it. Add it to the auth-matrix fixture
   env.

Verified locally: both tests pass; three remaining browser-UI failures
(test_chat_first_gmail_installs_prompts_and_retries,
test_settings_first_gmail_auth_then_chat_runs,
test_settings_first_custom_mcp_auth_then_chat_runs) are a separate
frontend/onboarding flow issue — follow-up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tests/e2e/scenarios/test_v2_auth_oauth_matrix.py

@@ -318,6 +318,11 @@ async def _start_auth_matrix_server(
             "ONBOARD_COMPLETED": "true",
             "IRONCLAW_OAUTH_CALLBACK_URL": "https://oauth.test.example/oauth/callback",
             "IRONCLAW_OAUTH_EXCHANGE_URL": exchange_url,
+            # The exchange proxy runs on 127.0.0.1 in tests; the SSRF guard
+            # for OAuth refresh refuses loopback by default. The env var is
+            # cfg(any(test, debug_assertions))-gated so it's a no-op in
+            # release builds, matching src/auth/mod.rs::validate_oauth_proxy_url.
+            "IRONCLAW_OAUTH_PROXY_ALLOW_LOOPBACK": "1",
             "GOOGLE_OAUTH_CLIENT_ID": "hosted-google-client-id",
             "IRONCLAW_TEST_HTTP_REMAP": (
                 f"gmail.googleapis.com={mock_api_url},"
@@ -1171,10 +1176,14 @@ async def _wasm_tool_auth_url(server: dict) -> str:
 
 
 async def _wasm_channel_auth_url(server: dict) -> str:
-    await _wait_for_extension(server["base_url"], "gmail-channel")
+    # Capabilities JSON still advertises "gmail-channel" for display, but the
+    # backend canonicalizes extension identities by folding hyphens to
+    # underscores (see `ExtensionName` / `.claude/rules/types.md`), so the
+    # listed name and setup route key is "gmail_channel".
+    await _wait_for_extension(server["base_url"], "gmail_channel")
     response = await api_post(
         server["base_url"],
-        "/api/extensions/gmail-channel/setup",
+        "/api/extensions/gmail_channel/setup",
         json={"secrets": {}},
         timeout=30,
     )
@@ -1628,7 +1637,7 @@ async def test_wasm_channel_oauth_roundtrip(auth_matrix_server):
     server = auth_matrix_server
     auth_url = await _wasm_channel_auth_url(server)
 
-    readiness = await _wait_for_extension_readiness(server["base_url"], "gmail-channel")
+    readiness = await _wait_for_extension_readiness(server["base_url"], "gmail_channel")
     assert readiness["phase"] == "needs_auth", readiness
     assert readiness["authenticated"] is False, readiness
     assert readiness["active"] is False, readiness
@@ -1636,9 +1645,9 @@ async def test_wasm_channel_oauth_roundtrip(auth_matrix_server):
     response = await _complete_callback(server["base_url"], auth_url, code="mock_auth_code")
     assert response.status_code == 200, response.text[:400]
 
-    extension = await _wait_for_extension(server["base_url"], "gmail-channel")
+    extension = await _wait_for_extension(server["base_url"], "gmail_channel")
     assert extension["authenticated"] is True, extension
-    readiness = await _wait_for_extension_readiness(server["base_url"], "gmail-channel")
+    readiness = await _wait_for_extension_readiness(server["base_url"], "gmail_channel")
     assert readiness["phase"] == "ready", readiness
     assert readiness["authenticated"] is True, readiness
     # This fixture uses a placeholder channel WASM payload, so it validates the