[AZ-552] [AZ-553] [AZ-554] [AZ-555] Cycle-2 hotfix: deploy/infra chain

Batch 5 (cycle 2 hotfix sprint, batch 1 of 2). 6 story points under epic
AZ-530. Addresses 2 Critical + 2 High deploy-blocking findings from
security_report_cycle2.md (F-INFRA-1..F-INFRA-4).

AZ-552 — drop_jwt_secret_deploy_preflight (1 pt, F-INFRA-1 Critical)
  scripts/start-services.sh swaps obsolete JwtConfig__Secret preflight
  for the cycle-2 trio (KeysFolder + ActiveKid + DataProtection.KeysFolder).
  .env.example, env/api/env.ps1, _docs/04_deploy/* updated to match. Repo
  scan in scripts/ and .env.example returns 0 offenders.

AZ-553 — bind_mount_es256_keys (2 pts, F-INFRA-2 Critical)
  start-services.sh bind-mounts DEPLOY_HOST_JWT_KEYS_DIR read-only at
  /etc/azaion/jwt-keys; preflight fails fast on a missing or empty host
  directory with operator-actionable error messages.

AZ-554 — persist_dataprotection_keys (2 pts, F-INFRA-3 High)
  Program.cs DataProtection wiring now fails fast in Production when
  KeysFolder is unset OR not probe-writable. start-services.sh bind-mounts
  DEPLOY_HOST_DP_KEYS_DIR read-write at /var/lib/azaion/dp-keys.
  Development behaviour unchanged (ephemeral default).

AZ-555 — secrets_readme_es256_rewrite (1 pt, F-INFRA-4 High)
  secrets/README.md schema fully rewritten; new "Host-side directories"
  subsection with bind-mount table + ownership/permission guidance.
  Cycle-1 JwtConfig__Secret removed from live schema (one prose
  deprecation paragraph retained).

Adjacent hygiene
  module-layout.md "Owns" extended to include scripts/, secrets/, env/,
  .env.example (gap from Step 9 new-task layout-delta).

Tests
  e2e/Azaion.E2E/Tests/Cycle2HotfixDeployTests.cs — 19 facts (8 exec,
  11 Skip with rationale per AZ-537/AZ-538 precedent). Skipped tests
  cover preflight/restart/Production-only paths verified at deploy gate.

Build: 0W 0E across Azaion.AdminApi + Azaion.E2E.
Test run deferred to autodev Step 11 (Run Tests).
Tracker transition deferred to next batch (MCP availability unverified
in this session — Leftovers pattern).

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/04_deploy/deploy_scripts.md

@@ -53,8 +53,11 @@ The complete variable inventory is `.env.example` at the repo root. Variables sp
 | `REGISTRY_HOST`, `REGISTRY_IMAGE`, `REGISTRY_TAG` | pull / start | public env / operator | tag is the `<sha12>-<arch>` immutable tag from `.woodpecker/02-build-push.yml` |
 | `REGISTRY_USER`, `REGISTRY_TOKEN` | pull | encrypted env | optional; if both missing, assumes `docker login` was done out-of-band |
 | `DEPLOY_CONTAINER_NAME`, `DEPLOY_HOST_PORT`, `DEPLOY_HOST_CONTENT_DIR`, `DEPLOY_HOST_LOGS_DIR` | stop / start | public env | identical for staging and prod by default |
-| `ASPNETCORE_ConnectionStrings__AzaionDb`, `__AzaionDbAdmin`, `JwtConfig__Secret` | start | encrypted env | the API fail-fast checks these on boot |
-| `ASPNETCORE_ResourcesConfig__*`, `JwtConfig__{Issuer,Audience,Lifetime}` | start | public env (defaults from `appsettings.json`) | only override if the env value differs from the appsettings default |
+| `ASPNETCORE_ConnectionStrings__AzaionDb`, `__AzaionDbAdmin` | start | encrypted env | the API fail-fast checks these on boot |
+| `ASPNETCORE_JwtConfig__KeysFolder`, `__ActiveKid` (AZ-552/AZ-553) | start | public env | container-side path to the ES256 PEMs + active kid; preflight + `JwtSigningKeyProvider` fail-fast if unset |
+| `ASPNETCORE_DataProtection__KeysFolder` (AZ-554) | start | public env | container-side path to the persisted DataProtection key ring; Production fail-fast if unset |
+| `DEPLOY_HOST_JWT_KEYS_DIR`, `DEPLOY_HOST_DP_KEYS_DIR` (AZ-553/AZ-554) | start | host env / public env | host-side directories bind-mounted into the container (JWT keys RO; DP keys RW) |
+| `ASPNETCORE_ResourcesConfig__*`, `JwtConfig__{Issuer,Audience,AccessTokenLifetimeMinutes}` | start | public env (defaults from `appsettings.json`) | only override if the env value differs from the appsettings default |
 | `SOPS_AGE_KEY_FILE` | `_lib.sh` | host | defaults to `/etc/azaion/age.key` if unset |
 | `SMOKE_ADMIN_EMAIL`, `SMOKE_ADMIN_PASSWORD` | `smoke.sh` | operator shell | dedicated smoke-test admin user; rotate as a regular admin password |
 

_docs/04_deploy/environment_strategy.md

@@ -26,8 +26,9 @@ The complete variable inventory lives in `.env.example` at the repo root (Step 1
 | `ASPNETCORE_ENVIRONMENT` | `.env` (`Development`) | docker-compose `environment:` (`Development`) | docker-compose / `--env-file` (`Staging`) | docker-compose / `--env-file` (`Production`) |
 | `ASPNETCORE_URLS` | `.env` | compose | host `.env` (rendered from sops) | host `.env` (rendered from sops) |
 | `ConnectionStrings__*` | `.env` (real local creds) | compose (literal — accepted F-10) | **sops-encrypted file in git** → decrypted on host at deploy time | same as staging |
-| `JwtConfig__Secret` | `.env` (dev-only literal) | compose (literal — accepted F-10) | **sops-encrypted** | **sops-encrypted** |
-| `JwtConfig__{Issuer,Audience,Lifetime}` | appsettings defaults | appsettings defaults | host `.env` if non-default | host `.env` if non-default |
+| `JwtConfig__KeysFolder`, `__ActiveKid` (AZ-552/AZ-553) | `.env` (dev-only path) | compose (volume mount) | public env + bind-mount via `DEPLOY_HOST_JWT_KEYS_DIR` | same |
+| `DataProtection__KeysFolder` (AZ-554) | unset (ephemeral dev default) | unset | public env + bind-mount via `DEPLOY_HOST_DP_KEYS_DIR` | same; Production fail-fast if unset |
+| `JwtConfig__{Issuer,Audience,AccessTokenLifetimeMinutes}` | appsettings defaults | appsettings defaults | host `.env` if non-default | host `.env` if non-default |
 | `ResourcesConfig__*` | appsettings defaults | compose | host `.env` if non-default | host `.env` if non-default |
 | `DEPLOY_*`, `REGISTRY_TAG` | `.env` (developer machine) | n/a | passed to `scripts/deploy.sh` from operator's shell or CI manual trigger | same |
 | `REGISTRY_USER`, `REGISTRY_TOKEN` | empty in dev `.env` | Woodpecker secrets `registry_user` / `registry_token` | Woodpecker secrets (CI deploy) or operator's shell (manual deploy) | same |
@@ -88,7 +89,7 @@ secrets/
 | Secret | Rotation cadence | Procedure |
 |--------|------------------|-----------|
 | Postgres `azaion_admin` / `azaion_reader` passwords | every 90 days, on operator schedule | `ALTER ROLE … WITH PASSWORD …` → re-encrypt `production.env` → `scripts/deploy.sh` |
-| JWT `JwtConfig__Secret` | every 180 days, AND on any suspected leak | re-encrypt → deploy. **All issued tokens become invalid** — communicate maintenance window. |
+| JWT signing PEMs in `DEPLOY_HOST_JWT_KEYS_DIR` (AZ-532/AZ-552/AZ-553) | every 180 days, AND on any suspected leak | follow `scripts/generate-jwt-key.sh` header (steps 1-6: drop a new PEM next to the active one → restart → wait verifier-cache TTL → switch `ActiveKid` → wait access-token TTL → delete old PEM). Rotation is **non-breaking** because both kids are exposed via `/.well-known/jwks.json` during the overlap window. |
 | `azaion_superadmin` password | every 365 days, AND on owner change | manual; not used by the running app, only by DB migrations |
 | Registry `REGISTRY_TOKEN` | every 90 days OR on CI compromise | rotate registry credential → update Woodpecker secret `registry_token` → re-encrypt `production.env` if also referenced there |
 | age private key (`/etc/azaion/age.key`) | every 365 days OR on host compromise | generate new key → add public recipient to `.sops.yaml` → `sops updatekeys secrets/*.env` → distribute new private key out-of-band → remove old recipient |

_docs/04_deploy/reports/deploy_status_report.md

@@ -75,10 +75,14 @@ API has no outbound calls to external SaaS APIs (no SSRF surface).
 | `ASPNETCORE_URLS` | Kestrel bind address | Container | `http://+:8080` | Environment |
 | `ASPNETCORE_ConnectionStrings__AzaionDb` | Reader DB connection (read-only role) | All | `Host=localhost;Port=4312;…;Username=azaion_reader` | Secret manager |
 | `ASPNETCORE_ConnectionStrings__AzaionDbAdmin` | Admin DB connection (read/write role) | All | `Host=localhost;Port=4312;…;Username=azaion_admin` | Secret manager |
-| `ASPNETCORE_JwtConfig__Secret` | HMAC-SHA256 signing key (≥ 32 bytes) | All | dev-only literal in `.env` | Secret manager |
+| `ASPNETCORE_JwtConfig__KeysFolder` (AZ-552/AZ-553) | Container path to ES256 PEMs | All | `/etc/azaion/jwt-keys` | public env; backed by `DEPLOY_HOST_JWT_KEYS_DIR` bind-mount |
+| `ASPNETCORE_JwtConfig__ActiveKid` (AZ-552/AZ-553) | kid of the PEM currently used to sign | All | unset (preflight fails) | public env or operator shell |
+| `ASPNETCORE_DataProtection__KeysFolder` (AZ-554) | Container path to persisted DP key ring | All | `/var/lib/azaion/dp-keys` | public env; backed by `DEPLOY_HOST_DP_KEYS_DIR` bind-mount |
+| `DEPLOY_HOST_JWT_KEYS_DIR` (AZ-553) | Host dir holding ES256 PEMs (bind-mounted RO) | Production / Staging | `/var/lib/azaion/jwt-keys` | host env / public env |
+| `DEPLOY_HOST_DP_KEYS_DIR` (AZ-554) | Host dir holding DataProtection key ring (RW) | Production / Staging | `/var/lib/azaion/dp-keys` | host env / public env |
 | `ASPNETCORE_JwtConfig__Issuer` | JWT `iss` claim | All | `AzaionApi` (appsettings) | appsettings or env override |
 | `ASPNETCORE_JwtConfig__Audience` | JWT `aud` claim | All | `Annotators/OrangePi/Admins` (appsettings) | appsettings or env override |
-| `ASPNETCORE_JwtConfig__TokenLifetimeHours` | Token TTL | All | `4` (appsettings) | Environment |
+| `ASPNETCORE_JwtConfig__AccessTokenLifetimeMinutes` | Access-token TTL (cycle-2; was `TokenLifetimeHours` in cycle-1) | All | `15` (appsettings) | Environment |
 | `ASPNETCORE_ResourcesConfig__ResourcesFolder` | File storage root | All | `Content` | Environment |
 | `CI_COMMIT_SHA` | Build-time label → `AZAION_REVISION` env in container | Build only | (unset → `unknown`) | Woodpecker `$CI_COMMIT_SHA` |
 | `DEPLOY_HOST` | Remote target machine for `scripts/deploy.sh` | Deploy scripts | `admin.azaion.com` | Environment |
@@ -93,7 +97,7 @@ API has no outbound calls to external SaaS APIs (no SSRF surface).
 | `REGISTRY_USER` | Registry login user | CI + deploy scripts | (empty) | Woodpecker secret `registry_user` / Secret manager |
 | `REGISTRY_TOKEN` | Registry login token/password | CI + deploy scripts | (empty) | Woodpecker secret `registry_token` / Secret manager |
 
-> All `ASPNETCORE_…` variables map to ASP.NET Core's `IConfiguration` via the standard `__` separator (e.g., `JwtConfig:Secret` ← `ASPNETCORE_JwtConfig__Secret`). The `ASPNETCORE_` prefix is *required* — `ConfigurationBuilder` only picks up env vars under that prefix unless additional prefixes are wired explicitly (which this app does not do).
+> All `ASPNETCORE_…` variables map to ASP.NET Core's `IConfiguration` via the standard `__` separator (e.g., `JwtConfig:KeysFolder` ← `ASPNETCORE_JwtConfig__KeysFolder`). The `ASPNETCORE_` prefix is *required* — `ConfigurationBuilder` only picks up env vars under that prefix unless additional prefixes are wired explicitly (which this app does not do).
 
 ## .env Files Created