[AZ-536] [AZ-537] [AZ-538] Argon2id, login rate limit + lockout, CORS https-only

AZ-536 — replace unsalted SHA-384 password hashing with Argon2id (RFC 9106).
Stored as PHC string with 64 MiB / 3 iter / 1 lane defaults; legacy SHA-384
hashes detected by prefix and lazily re-hashed on next successful login.
Verify uses CryptographicOperations.FixedTimeEquals on both formats.

AZ-537 — add per-IP sliding window rate limit on /login (ASP.NET Core
RateLimiter, 10/60s default — production-tight) plus DB-backed per-account
limit (5/300s) and consecutive-failure lockout (10 / 15 min) on the users
row. Adds a generic audit_events table with INSERT/SELECT-only grants for
the app role so the per-account count is queryable and admins cannot erase
their own forensic trail. BusinessExceptionHandler maps AccountLocked to
423 and LoginRateLimited to 429, both with Retry-After.

AZ-538 — drop the http://admin.azaion.com origin from CORS, gate
UseHsts() + UseHttpsRedirection() to non-Development envs (1y / preload).

Test infra: Npgsql in the e2e project + a DbHelper for direct DB
inspection used by the AZ-536/537 ACs. appsettings.Development.json
raises PerIpPermitLimit to 1000 so the suite (~270 logins from one
container IP) doesn't false-trip the limiter.

Tests: 53 pass + 3 documented skips (per-IP rate limit needs distinct
client IPs; HSTS/HTTPS redirect need ASPNETCORE_ENVIRONMENT=Production).

Code review: PASS_WITH_WARNINGS — 0 Critical, 0 High, 1 Medium, 3 Low.
See _docs/03_implementation/reviews/batch_01_cycle2_review.md.

Closes AZ-530 epic batch 1 of 4.

Co-authored-by: Cursor <cursoragent@cursor.com>

Azaion.Services/AuditLog.cs

@@ -0,0 +1,59 @@
+using Azaion.Common.Database;
+using Azaion.Common.Entities;
+using LinqToDB;
+using Microsoft.AspNetCore.Http;
+
+namespace Azaion.Services;
+
+public interface IAuditLog
+{
+    Task RecordLoginFailed (string email, CancellationToken ct = default);
+    Task RecordLoginLockout(string email, CancellationToken ct = default);
+    Task RecordLoginSuccess(string email, CancellationToken ct = default);
+
+    /// <summary>
+    /// Number of `login_failed` rows for the given email within the last <paramref name="windowSeconds"/>.
+    /// Used by the per-account sliding-window rate limit (AZ-537 AC-2).
+    /// </summary>
+    Task<int> CountRecentFailedLogins(string email, int windowSeconds, CancellationToken ct = default);
+}
+
+public class AuditLog(IDbFactory dbFactory, IHttpContextAccessor httpContextAccessor) : IAuditLog
+{
+    public Task RecordLoginFailed (string email, CancellationToken ct = default)
+        => Insert(AuditEventTypes.LoginFailed,  email, ct);
+
+    public Task RecordLoginLockout(string email, CancellationToken ct = default)
+        => Insert(AuditEventTypes.LoginLockout, email, ct);
+
+    public Task RecordLoginSuccess(string email, CancellationToken ct = default)
+        => Insert(AuditEventTypes.LoginSuccess, email, ct);
+
+    public async Task<int> CountRecentFailedLogins(string email, int windowSeconds, CancellationToken ct = default)
+    {
+        var cutoff = DateTime.UtcNow.AddSeconds(-windowSeconds);
+        var normalised = email.ToLowerInvariant();
+        return await dbFactory.Run(async db =>
+            await db.AuditEvents
+                .Where(e => e.EventType == AuditEventTypes.LoginFailed
+                            && e.Email == normalised
+                            && e.OccurredAt >= cutoff)
+                .CountAsync(token: ct));
+    }
+
+    private async Task Insert(string eventType, string email, CancellationToken ct)
+    {
+        var ip = httpContextAccessor.HttpContext?.Connection.RemoteIpAddress?.ToString();
+        var normalised = email.ToLowerInvariant();
+        await dbFactory.RunAdmin(async db =>
+        {
+            await db.InsertAsync(new AuditEvent
+            {
+                EventType  = eventType,
+                OccurredAt = DateTime.UtcNow,
+                Email      = normalised,
+                Ip         = ip
+            }, token: ct);
+        });
+    }
+}