[AZ-536] [AZ-537] [AZ-538] Argon2id, login rate limit + lockout, CORS https-only

AZ-536 — replace unsalted SHA-384 password hashing with Argon2id (RFC 9106).
Stored as PHC string with 64 MiB / 3 iter / 1 lane defaults; legacy SHA-384
hashes detected by prefix and lazily re-hashed on next successful login.
Verify uses CryptographicOperations.FixedTimeEquals on both formats.

AZ-537 — add per-IP sliding window rate limit on /login (ASP.NET Core
RateLimiter, 10/60s default — production-tight) plus DB-backed per-account
limit (5/300s) and consecutive-failure lockout (10 / 15 min) on the users
row. Adds a generic audit_events table with INSERT/SELECT-only grants for
the app role so the per-account count is queryable and admins cannot erase
their own forensic trail. BusinessExceptionHandler maps AccountLocked to
423 and LoginRateLimited to 429, both with Retry-After.

AZ-538 — drop the http://admin.azaion.com origin from CORS, gate
UseHsts() + UseHttpsRedirection() to non-Development envs (1y / preload).

Test infra: Npgsql in the e2e project + a DbHelper for direct DB
inspection used by the AZ-536/537 ACs. appsettings.Development.json
raises PerIpPermitLimit to 1000 so the suite (~270 logins from one
container IP) doesn't false-trip the limiter.

Tests: 53 pass + 3 documented skips (per-IP rate limit needs distinct
client IPs; HSTS/HTTPS redirect need ASPNETCORE_ENVIRONMENT=Production).

Code review: PASS_WITH_WARNINGS — 0 Critical, 0 High, 1 Medium, 3 Low.
See _docs/03_implementation/reviews/batch_01_cycle2_review.md.

Closes AZ-530 epic batch 1 of 4.

Co-authored-by: Cursor <cursoragent@cursor.com>

Azaion.Common/BusinessException.cs

@@ -14,6 +14,17 @@ public class BusinessException(ExceptionEnum exEnum) : Exception(GetMessage(exEn
 
     public ExceptionEnum ExceptionEnum { get; set; } = exEnum;
 
+    /// <summary>
+    /// Optional cooldown hint surfaced as a Retry-After response header by the exception
+    /// handler. Used by AccountLocked and LoginRateLimited (AZ-537).
+    /// </summary>
+    public int? RetryAfterSeconds { get; init; }
+
+    public BusinessException(ExceptionEnum exEnum, int retryAfterSeconds) : this(exEnum)
+    {
+        RetryAfterSeconds = retryAfterSeconds;
+    }
+
     public static string GetMessage(ExceptionEnum exEnum) => ExceptionDescriptions.GetValueOrDefault(exEnum) ?? exEnum.ToString();
 }
 
@@ -39,6 +50,12 @@ public enum ExceptionEnum
     [Description("User account is disabled.")]
     UserDisabled = 38,
 
+    [Description("Account is temporarily locked due to too many failed login attempts.")]
+    AccountLocked = 50,
+
+    [Description("Too many login attempts. Try again later.")]
+    LoginRateLimited = 51,
+
     [Description("No file provided.")]
     NoFileProvided = 60,
 }

Azaion.Common/Configs/AuthConfig.cs

@@ -0,0 +1,21 @@
+namespace Azaion.Common.Configs;
+
+public class AuthConfig
+{
+    public RateLimitOptions RateLimit { get; set; } = new();
+    public LockoutOptions   Lockout   { get; set; } = new();
+}
+
+public class RateLimitOptions
+{
+    public int PerIpPermitLimit       { get; set; } = 10;
+    public int PerIpWindowSeconds     { get; set; } = 60;
+    public int PerAccountPermitLimit  { get; set; } = 5;
+    public int PerAccountWindowSeconds { get; set; } = 300;
+}
+
+public class LockoutOptions
+{
+    public int MaxAttempts        { get; set; } = 10;
+    public int DurationSeconds    { get; set; } = 900; // 15 min
+}

Azaion.Common/Database/AzaionDb.cs

@@ -8,4 +8,5 @@ public class AzaionDb(DataOptions dataOptions) : DataConnection(dataOptions)
 {
     public ITable<User>            Users             => this.GetTable<User>();
     public ITable<DetectionClass>  DetectionClasses  => this.GetTable<DetectionClass>();
+    public ITable<AuditEvent>      AuditEvents       => this.GetTable<AuditEvent>();
 }

Azaion.Common/Database/AzaionDbShemaHolder.cs

@@ -42,6 +42,12 @@ public static class AzaionDbSchemaHolder
                 .IsPrimaryKey()
                 .IsIdentity();
 
+        builder.Entity<AuditEvent>()
+            .HasTableName("audit_events")
+            .Property(x => x.Id)
+                .IsPrimaryKey()
+                .IsIdentity();
+
         builder.Build();
     }
 }

Azaion.Common/Entities/AuditEvent.cs

@@ -0,0 +1,18 @@
+namespace Azaion.Common.Entities;
+
+public class AuditEvent
+{
+    public long      Id         { get; set; }
+    public string    EventType  { get; set; } = null!;
+    public DateTime  OccurredAt { get; set; }
+    public string?   Email      { get; set; }
+    public string?   Ip         { get; set; }
+    public string?   Metadata   { get; set; }
+}
+
+public static class AuditEventTypes
+{
+    public const string LoginFailed   = "login_failed";
+    public const string LoginLockout  = "login_lockout";
+    public const string LoginSuccess  = "login_success";
+}

Azaion.Common/Entities/User.cs

@@ -16,6 +16,10 @@ public class User
     public UserConfig? UserConfig { get; set; } = null!;
     public bool IsEnabled { get; set; }
 
+    // AZ-537 — consecutive failed-login counter and active lockout deadline.
+    public int       FailedLoginCount { get; set; }
+    public DateTime? LockoutUntil     { get; set; }
+
     public static string GetCacheKey(string email) =>
         string.IsNullOrEmpty(email) ? "" : $"{nameof(User)}.{email}";
 }