chore(auth): replace axios in auth/customs with native fetch

[toufali]

Because

• axios is a recurring source of security advisories. Continues the migration to native fetch (FXA-13427); this PR covers the customs client and the Google RISC events CLI, and removes the now-unused agentkeepalive from auth-server.

This pull request

• Migrates the customs client (customs.js) from axios + agentkeepalive to native fetch, preserving the request timeout via AbortSignal.timeout and the fail-closed error handling (backendServiceFailure).
• Collapses the customsHttpAgent config (socket-pool knobs) to a single customsClient.timeoutMs (retaining the CUSTOMS_TIMEOUT_MS env binding); deletes the orphaned http-agent.ts and the agentkeepalive dependency.
• Rewrites customs.spec.ts off nock onto global.fetch stubs, simplifying it (753 → 569 lines) into focused one-behavior tests plus a direct sanitizePayload unit test.
• Migrates the google-events-cli.js RISC script off axios.

Issue that this pull request solves

Closes: FXA-13427 (customs + scripts slice)

Checklist

Put an x in the boxes that apply

• My commit is GPG signed.
• If applicable, I have modified or added tests which pass locally.
• I have added necessary documentation (if appropriate).
• I have verified that my changes render correctly in RTL (if appropriate).
• I have manually reviewed all AI generated code.

Other information (Optional)

Connection pooling: fetch (undici) pools and keep-alives connections by default. The dropped maxSockets caps were only ever raised under load testing (the historical pain was too few sockets), and undici's default per-origin pool is unlimited — so moving to defaults goes in the safe direction. The 8s prod timeout (CUSTOMS_TIMEOUT_MS) is preserved.

Ops follow-ups (not blocking this PR):

• The customs.{httpAgent,httpsAgent}.* StatsD socket gauges are removed — fetch/undici exposes no agent to introspect. Heads-up for anyone with customs Grafana panels/alerts on those metrics.
• The CUSTOMS_MAX_SOCKETS, CUSTOMS_MAX_FREE_SOCKETS, and CUSTOMS_FREE_SOCKET_TIMEOUT_MS env vars are now unused. webservices-infra still sets customs_free_socket_timeout_ms (now inert) — worth removing there in a follow-up.

axios itself remains in the root package.json until libs/profile/client migrates (next PR).

[Copilot]

Pull request overview

This PR continues the migration away from axios/agentkeepalive in fxa-auth-server by switching the legacy customs client and the Google RISC events CLI to native fetch, while simplifying the related configuration surface and modernizing the customs unit tests.

Changes:

• Replaced axios + agentkeepalive usage in lib/customs.js with native fetch + AbortSignal.timeout, preserving fail-closed behavior.
• Simplified customs configuration from socket-pool/agent settings to a single customsClient.timeoutMs value.
• Reworked lib/customs.spec.ts to stub global.fetch instead of using nock, and removed the now-unused http-agent.ts + dependency.

Reviewed changes

Copilot reviewed 6 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
yarn.lock	Removes agentkeepalive from the auth-server workspace dependency graph.
packages/fxa-auth-server/scripts/google-events-cli.js	Switches Google RISC CLI requests from axios to fetch.
packages/fxa-auth-server/package.json	Drops the agentkeepalive dependency from auth-server.
packages/fxa-auth-server/lib/http-agent.ts	Deletes the custom agent factory now that fetch is used.
packages/fxa-auth-server/lib/customs.spec.ts	Updates tests to stub global.fetch and adds focused unit coverage for payload sanitization.
packages/fxa-auth-server/lib/customs.js	Migrates customs HTTP calls to fetch, adds request timeout via AbortSignal.timeout.
packages/fxa-auth-server/config/index.ts	Replaces customsHttpAgent config with customsClient.timeoutMs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.