Clean up forward auth caching: remove duplication, fix rate limiting, and plug cache gaps

- Remove duplicated app_allows_user_cached?/headers_for_user_cached methods; call model methods directly
- Fix sliding-window rate limit bug by using increment instead of write (avoids TTL reset)
- Use cached app lookup in validate_redirect_url instead of hitting DB on every unauthorized request
- Add cache busting to ApplicationGroup so group assignment changes invalidate the cache
- Eager-load user groups (includes(user: :groups)) to eliminate N+1 queries
- Replace pluck(:name) with map(&:name) to use already-loaded associations
- Remove hardcoded fallback domain, dead methods, and unnecessary comments
- Fix test indentation and make group-order assertions deterministic

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

app/models/application.rb

@@ -202,7 +202,7 @@ class Application < ApplicationRecord
       when :username
         headers[header_name] = user.username if user.username.present?
       when :groups
-        headers[header_name] = user.groups.pluck(:name).join(",") if user.groups.any?
+        headers[header_name] = user.groups.map(&:name).join(",") if user.groups.any?
       when :admin
         headers[header_name] = user.admin? ? "true" : "false"
       end

app/models/application_group.rb

@@ -3,4 +3,12 @@ class ApplicationGroup < ApplicationRecord
   belongs_to :group
 
   validates :application_id, uniqueness: {scope: :group_id}
+
+  after_commit :bust_forward_auth_cache
+
+  private
+
+  def bust_forward_auth_cache
+    Rails.application.config.forward_auth_cache&.delete("fa_apps")
+  end
 end