[AZ-531] [AZ-532] Refresh-token rotation + ES256 signing with JWKS

AZ-531 — /login now returns access (15 min) + opaque refresh; rotation
on /token/refresh; reuse of a rotated refresh kills the entire session
family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new
sessions table with serializable-tx rotation.

AZ-532 — switched access-token signing from HS256 shared-secret to ES256
file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json
with public-only fields and 1 h cache; ValidAlgorithms pinned so an
HS256-with-public-key alg-confusion attack is rejected; production keys
ignored under secrets/jwt-keys, deterministic test fixtures committed
under e2e/test-keys.

Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests).
Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated
for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with
ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env
to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux
budget unchanged, see batch_02_cycle2_review.md F1).

Co-authored-by: Cursor <cursoragent@cursor.com>

Azaion.Services/AuthService.cs

@@ -1,6 +1,5 @@
 using System.IdentityModel.Tokens.Jwt;
 using System.Security.Claims;
-using System.Text;
 using Azaion.Common.Configs;
 using Azaion.Common.Entities;
 using Microsoft.AspNetCore.Http;
@@ -12,11 +11,25 @@ namespace Azaion.Services;
 public interface IAuthService
 {
     Task<User?> GetCurrentUser();
-    string CreateToken(User user);
+
+    /// <summary>
+    /// AZ-531 / AZ-532 — mint a 15-minute ES256 access token. <paramref name="sessionId"/>
+    /// is stamped as the <c>sid</c> claim (logout / family-revocation key in AZ-535)
+    /// and <paramref name="jti"/> is the per-token unique id (AZ-535 access denylist).
+    /// </summary>
+    AccessToken CreateToken(User user, Guid sessionId, Guid jti);
 }
 
-public class AuthService(IHttpContextAccessor httpContextAccessor, IOptions<JwtConfig> jwtConfig, IUserService userService) : IAuthService
+public sealed record AccessToken(string Jwt, DateTime ExpiresAt);
+
+public class AuthService(
+    IHttpContextAccessor httpContextAccessor,
+    IOptions<JwtConfig>  jwtConfig,
+    IJwtSigningKeyProvider signingKeys,
+    IUserService userService) : IAuthService
 {
+    private readonly JwtConfig _jwt = jwtConfig.Value;
+
     private string? GetCurrentUserEmail()
     {
         var claims = httpContextAccessor.HttpContext?.User.Claims.ToDictionary(x => x.Type);
@@ -29,25 +42,29 @@ public class AuthService(IHttpContextAccessor httpContextAccessor, IOptions<JwtC
         return await userService.GetByEmail(email);
     }
 
-    public string CreateToken(User user)
+    public AccessToken CreateToken(User user, Guid sessionId, Guid jti)
     {
-        var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(jwtConfig.Value.Secret));
+        var active = signingKeys.Active;
+        var signingCredentials = new SigningCredentials(active.SecurityKey, SecurityAlgorithms.EcdsaSha256);
 
+        var expires = DateTime.UtcNow.AddMinutes(_jwt.AccessTokenLifetimeMinutes);
         var tokenHandler = new JwtSecurityTokenHandler();
         var tokenDescriptor = new SecurityTokenDescriptor
         {
             Subject = new ClaimsIdentity([
                 new Claim(ClaimTypes.NameIdentifier, user.Id.ToString()),
                 new Claim(ClaimTypes.Name, user.Email),
-                new Claim(ClaimTypes.Role, user.Role.ToString())
+                new Claim(ClaimTypes.Role, user.Role.ToString()),
+                new Claim(JwtRegisteredClaimNames.Sid, sessionId.ToString()),
+                new Claim(JwtRegisteredClaimNames.Jti, jti.ToString())
             ]),
-            Expires = DateTime.UtcNow.AddHours(jwtConfig.Value.TokenLifetimeHours),
-            Issuer = jwtConfig.Value.Issuer,
-            Audience = jwtConfig.Value.Audience,
-            SigningCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256Signature)
+            Expires            = expires,
+            Issuer             = _jwt.Issuer,
+            Audience           = _jwt.Audience,
+            SigningCredentials = signingCredentials
         };
 
         var token = tokenHandler.CreateToken(tokenDescriptor);
-        return tokenHandler.WriteToken(token);
+        return new AccessToken(tokenHandler.WriteToken(token), expires);
     }
-}
+}