Fix E2E test gaps and add comprehensive E2E + parity test suites

- Fix pull consumer fetch: send original stream subject in HMSG (not inbox)
  so NATS client distinguishes data messages from control messages
- Fix MaxAge expiry: add background timer in StreamManager for periodic pruning
- Fix JetStream wire format: Go-compatible anonymous objects with string enums,
  proper offset-based pagination for stream/consumer list APIs
- Add 42 E2E black-box tests (core messaging, auth, TLS, accounts, JetStream)
- Add ~1000 parity tests across all subsystems (gaps closure)
- Update gap inventory docs to reflect implementation status

tests/NATS.Server.Tests/Monitoring/ConnzParityFieldTests.cs

@@ -1,4 +1,5 @@
 using System.Text.Json;
+using System.Text;
 
 namespace NATS.Server.Tests;
 
@@ -8,14 +9,46 @@ public class ConnzParityFieldTests
     public async Task Connz_includes_identity_tls_and_proxy_parity_fields()
     {
         await using var fx = await MonitoringParityFixture.StartAsync();
-        await fx.ConnectClientAsync("u", "orders.created");
+        var jwt = BuildJwt("UISSUER", ["team:core", "tier:gold"]);
+        await fx.ConnectClientAsync("proxy:edge", "orders.created", jwt);
 
-        var connz = fx.GetConnz("?subs=detail");
+        var connz = fx.GetConnz("?subs=detail&auth=true");
         connz.Conns.ShouldNotBeEmpty();
+        var conn = connz.Conns.Single(c => c.AuthorizedUser == "proxy:edge");
+        conn.Proxy.ShouldNotBeNull();
+        conn.Proxy.Key.ShouldBe("edge");
+        conn.Jwt.ShouldBe(jwt);
+        conn.IssuerKey.ShouldBe("UISSUER");
+        conn.Tags.ShouldContain("team:core");
 
         var json = JsonSerializer.Serialize(connz);
         json.ShouldContain("tls_peer_cert_subject");
-        json.ShouldContain("jwt_issuer_key");
+        json.ShouldContain("tls_peer_certs");
+        json.ShouldContain("issuer_key");
+        json.ShouldContain("\"tags\"");
         json.ShouldContain("proxy");
+        json.ShouldNotContain("jwt_issuer_key");
+    }
+
+    private static string BuildJwt(string issuer, string[] tags)
+    {
+        static string B64Url(string json)
+        {
+            return Convert.ToBase64String(Encoding.UTF8.GetBytes(json))
+                .TrimEnd('=')
+                .Replace('+', '-')
+                .Replace('/', '_');
+        }
+
+        var header = B64Url("{\"alg\":\"none\",\"typ\":\"JWT\"}");
+        var payload = B64Url(JsonSerializer.Serialize(new
+        {
+            iss = issuer,
+            nats = new
+            {
+                tags,
+            },
+        }));
+        return $"{header}.{payload}.eA";
     }
 }

tests/NATS.Server.Tests/Monitoring/ConnzParityFilterTests.cs

@@ -46,6 +46,7 @@ internal sealed class MonitoringParityFixture : IAsyncDisposable
             [
                 new User { Username = "u", Password = "p", Account = "A" },
                 new User { Username = "v", Password = "p", Account = "B" },
+                new User { Username = "proxy:edge", Password = "p", Account = "A" },
             ],
         };
 
@@ -56,7 +57,7 @@ internal sealed class MonitoringParityFixture : IAsyncDisposable
         return new MonitoringParityFixture(server, options, cts);
     }
 
-    public async Task ConnectClientAsync(string username, string? subscribeSubject)
+    public async Task ConnectClientAsync(string username, string? subscribeSubject, string? jwt = null)
     {
         var client = new TcpClient();
         await client.ConnectAsync(IPAddress.Loopback, _server.Port);
@@ -65,7 +66,10 @@ internal sealed class MonitoringParityFixture : IAsyncDisposable
         var stream = client.GetStream();
         await ReadLineAsync(stream); // INFO
 
-        var connect = $"CONNECT {{\"user\":\"{username}\",\"pass\":\"p\"}}\r\n";
+        var connectPayload = string.IsNullOrWhiteSpace(jwt)
+            ? $"{{\"user\":\"{username}\",\"pass\":\"p\"}}"
+            : $"{{\"user\":\"{username}\",\"pass\":\"p\",\"jwt\":\"{jwt}\"}}";
+        var connect = $"CONNECT {connectPayload}\r\n";
         await stream.WriteAsync(Encoding.ASCII.GetBytes(connect));
         if (!string.IsNullOrEmpty(subscribeSubject))
             await stream.WriteAsync(Encoding.ASCII.GetBytes($"SUB {subscribeSubject} sid-{username}\r\n"));
@@ -82,7 +86,7 @@ internal sealed class MonitoringParityFixture : IAsyncDisposable
 
     public async Task<Varz> GetVarzAsync()
     {
-        using var handler = new VarzHandler(_server, _options);
+        using var handler = new VarzHandler(_server, _options, NullLoggerFactory.Instance);
         return await handler.HandleVarzAsync();
     }
 

tests/NATS.Server.Tests/Monitoring/MonitoringHealthAndSortParityBatch1Tests.cs

@@ -0,0 +1,39 @@
+using System.Text.Json;
+using NATS.Server.Monitoring;
+
+namespace NATS.Server.Tests.Monitoring;
+
+public class MonitoringHealthAndSortParityBatch1Tests
+{
+    [Fact]
+    public void SortOpt_IsValid_matches_defined_values()
+    {
+        foreach (var value in Enum.GetValues<SortOpt>())
+            value.IsValid().ShouldBeTrue();
+
+        ((SortOpt)999).IsValid().ShouldBeFalse();
+    }
+
+    [Fact]
+    public void HealthStatus_ok_serializes_with_go_shape_fields()
+    {
+        var json = JsonSerializer.Serialize(HealthStatus.Ok());
+
+        json.ShouldContain("\"status\":\"ok\"");
+        json.ShouldContain("\"status_code\":200");
+        json.ShouldContain("\"errors\":[]");
+    }
+
+    [Fact]
+    public void HealthzError_serializes_enum_as_string()
+    {
+        var json = JsonSerializer.Serialize(new HealthzError
+        {
+            Type = HealthzErrorType.JetStream,
+            Error = "jetstream unavailable",
+        });
+
+        json.ShouldContain("\"type\":\"JetStream\"");
+        json.ShouldContain("\"error\":\"jetstream unavailable\"");
+    }
+}

tests/NATS.Server.Tests/Monitoring/TlsPeerCertParityTests.cs

@@ -0,0 +1,65 @@
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using System.Text.Json;
+using NATS.Server.Monitoring;
+
+namespace NATS.Server.Tests.Monitoring;
+
+public class TlsPeerCertParityTests
+{
+    [Fact]
+    public void TLSPeerCert_serializes_go_shape_fields()
+    {
+        var cert = new TLSPeerCert
+        {
+            Subject = "CN=peer",
+            SubjectPKISha256 = new string('a', 64),
+            CertSha256 = new string('b', 64),
+        };
+
+        var json = JsonSerializer.Serialize(cert);
+
+        json.ShouldContain("\"subject\":\"CN=peer\"");
+        json.ShouldContain("\"subject_pk_sha256\":");
+        json.ShouldContain("\"cert_sha256\":");
+    }
+
+    [Fact]
+    public void TlsPeerCertMapper_produces_subject_and_sha256_values_from_certificate()
+    {
+        using var rsa = RSA.Create(2048);
+        var req = new CertificateRequest("CN=peer", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+        using var cert = req.CreateSelfSigned(DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(1));
+
+        var mapped = TlsPeerCertMapper.FromCertificate(cert);
+
+        mapped.Length.ShouldBe(1);
+        mapped[0].Subject.ShouldContain("CN=peer");
+        mapped[0].SubjectPKISha256.Length.ShouldBe(64);
+        mapped[0].CertSha256.Length.ShouldBe(64);
+    }
+
+    [Fact]
+    public void ConnInfo_json_includes_tls_peer_certs_array()
+    {
+        var info = new ConnInfo
+        {
+            Cid = 1,
+            TlsPeerCertSubject = "CN=peer",
+            TlsPeerCerts =
+            [
+                new TLSPeerCert
+                {
+                    Subject = "CN=peer",
+                    SubjectPKISha256 = new string('c', 64),
+                    CertSha256 = new string('d', 64),
+                },
+            ],
+        };
+
+        var json = JsonSerializer.Serialize(info);
+        json.ShouldContain("\"tls_peer_certs\":[");
+        json.ShouldContain("\"subject_pk_sha256\":");
+        json.ShouldContain("\"cert_sha256\":");
+    }
+}