test(auth): validate cache key selector is valid CEL

Add CEL syntax validation to the subscription cache key test. The
cache key selector is evaluated by Authorino as a CEL expression at
runtime, so a syntax error would cause subscription-info cache lookups
to fail silently.

Uses cel-go parser to verify the expression parses without errors.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: mynhardtburger

maas-controller/go.mod

@@ -485,4 +485,21 @@ func TestMaaSAuthPolicyReconciler_SubscriptionCacheKey(t *testing.T) {
 			}
 		})
 	}
+
+	// Verify the cache key selector is a syntactically valid CEL expression.
+	// Authorino evaluates this string as CEL at runtime, so a syntax error here
+	// would cause all subscription-info cache lookups to fail silently.
+	t.Run("is valid CEL expression", func(t *testing.T) {
+		env, err := cel.NewEnv()
+		if err != nil {
+			t.Fatalf("failed to create CEL environment: %v", err)
+		}
+		ast, issues := env.Parse(cacheKeySelector)
+		if issues != nil && issues.Err() != nil {
+			t.Errorf("cache key selector is not a valid CEL expression:\n  selector: %s\n  parse error: %v", cacheKeySelector, issues.Err())
+		}
+		if ast == nil {
+			t.Errorf("CEL parse returned nil AST for selector: %s", cacheKeySelector)
+		}
+	})
 }