[AZ-552] [AZ-553] [AZ-554] [AZ-555] Cycle-2 hotfix: deploy/infra chain

Batch 5 (cycle 2 hotfix sprint, batch 1 of 2). 6 story points under epic
AZ-530. Addresses 2 Critical + 2 High deploy-blocking findings from
security_report_cycle2.md (F-INFRA-1..F-INFRA-4).

AZ-552 — drop_jwt_secret_deploy_preflight (1 pt, F-INFRA-1 Critical)
  scripts/start-services.sh swaps obsolete JwtConfig__Secret preflight
  for the cycle-2 trio (KeysFolder + ActiveKid + DataProtection.KeysFolder).
  .env.example, env/api/env.ps1, _docs/04_deploy/* updated to match. Repo
  scan in scripts/ and .env.example returns 0 offenders.

AZ-553 — bind_mount_es256_keys (2 pts, F-INFRA-2 Critical)
  start-services.sh bind-mounts DEPLOY_HOST_JWT_KEYS_DIR read-only at
  /etc/azaion/jwt-keys; preflight fails fast on a missing or empty host
  directory with operator-actionable error messages.

AZ-554 — persist_dataprotection_keys (2 pts, F-INFRA-3 High)
  Program.cs DataProtection wiring now fails fast in Production when
  KeysFolder is unset OR not probe-writable. start-services.sh bind-mounts
  DEPLOY_HOST_DP_KEYS_DIR read-write at /var/lib/azaion/dp-keys.
  Development behaviour unchanged (ephemeral default).

AZ-555 — secrets_readme_es256_rewrite (1 pt, F-INFRA-4 High)
  secrets/README.md schema fully rewritten; new "Host-side directories"
  subsection with bind-mount table + ownership/permission guidance.
  Cycle-1 JwtConfig__Secret removed from live schema (one prose
  deprecation paragraph retained).

Adjacent hygiene
  module-layout.md "Owns" extended to include scripts/, secrets/, env/,
  .env.example (gap from Step 9 new-task layout-delta).

Tests
  e2e/Azaion.E2E/Tests/Cycle2HotfixDeployTests.cs — 19 facts (8 exec,
  11 Skip with rationale per AZ-537/AZ-538 precedent). Skipped tests
  cover preflight/restart/Production-only paths verified at deploy gate.

Build: 0W 0E across Azaion.AdminApi + Azaion.E2E.
Test run deferred to autodev Step 11 (Run Tests).
Tracker transition deferred to next batch (MCP availability unverified
in this session — Leftovers pattern).

Co-authored-by: Cursor <cursoragent@cursor.com>

scripts/start-services.sh

@@ -14,9 +14,12 @@ Reads from the environment (deploy.sh sets these):
   REGISTRY_HOST, REGISTRY_IMAGE, REGISTRY_TAG
   DEPLOY_CONTAINER_NAME, DEPLOY_HOST_PORT
   DEPLOY_HOST_CONTENT_DIR, DEPLOY_HOST_LOGS_DIR
+  DEPLOY_HOST_JWT_KEYS_DIR  (host dir bind-mounted RO at /etc/azaion/jwt-keys)
+  DEPLOY_HOST_DP_KEYS_DIR   (host dir bind-mounted RW at /var/lib/azaion/dp-keys)
   ASPNETCORE_ENVIRONMENT, ASPNETCORE_URLS
   ASPNETCORE_ConnectionStrings__AzaionDb / __AzaionDbAdmin
-  ASPNETCORE_JwtConfig__Secret
+  ASPNETCORE_JwtConfig__KeysFolder, ASPNETCORE_JwtConfig__ActiveKid
+  ASPNETCORE_DataProtection__KeysFolder
   ASPNETCORE_ResourcesConfig__*  (defaults from appsettings.json if unset)
 EOF
 }
@@ -27,11 +30,31 @@ require_env \
     REGISTRY_HOST REGISTRY_IMAGE REGISTRY_TAG \
     DEPLOY_CONTAINER_NAME DEPLOY_HOST_PORT \
     DEPLOY_HOST_CONTENT_DIR DEPLOY_HOST_LOGS_DIR \
+    DEPLOY_HOST_JWT_KEYS_DIR DEPLOY_HOST_DP_KEYS_DIR \
     ASPNETCORE_ConnectionStrings__AzaionDb \
     ASPNETCORE_ConnectionStrings__AzaionDbAdmin \
-    ASPNETCORE_JwtConfig__Secret
+    ASPNETCORE_JwtConfig__KeysFolder \
+    ASPNETCORE_JwtConfig__ActiveKid \
+    ASPNETCORE_DataProtection__KeysFolder
 require_cmd docker
 
+# AZ-553 — ES256 PEMs must exist on the host before the container starts.
+# JwtSigningKeyProvider fails-fast on an empty folder; surface that as a
+# preflight failure with a clearer message.
+if [[ ! -d "$DEPLOY_HOST_JWT_KEYS_DIR" ]]; then
+    die "DEPLOY_HOST_JWT_KEYS_DIR does not exist: $DEPLOY_HOST_JWT_KEYS_DIR (run scripts/generate-jwt-key.sh on the host first)"
+fi
+if ! compgen -G "$DEPLOY_HOST_JWT_KEYS_DIR/*.pem" >/dev/null; then
+    die "No *.pem files in DEPLOY_HOST_JWT_KEYS_DIR: $DEPLOY_HOST_JWT_KEYS_DIR (run scripts/generate-jwt-key.sh on the host first)"
+fi
+
+# AZ-554 — DataProtection master keys must persist across container restarts
+# or every MFA-enrolled user gets locked out at the next deploy. The folder is
+# bind-mounted RW; the container creates the key ring on first run.
+if [[ ! -d "$DEPLOY_HOST_DP_KEYS_DIR" ]]; then
+    die "DEPLOY_HOST_DP_KEYS_DIR does not exist: $DEPLOY_HOST_DP_KEYS_DIR (create with: install -d -m 0700 -o <container-uid> -g <container-gid> $DEPLOY_HOST_DP_KEYS_DIR)"
+fi
+
 IMAGE="$REGISTRY_HOST/$REGISTRY_IMAGE:$REGISTRY_TAG"
 
 # Materialize an env file for `docker run --env-file`. We pass only the
@@ -53,6 +76,8 @@ docker run --detach \
     --publish "$DEPLOY_HOST_PORT:8080" \
     --volume "$DEPLOY_HOST_CONTENT_DIR:/app/Content" \
     --volume "$DEPLOY_HOST_LOGS_DIR:/app/logs" \
+    --volume "$DEPLOY_HOST_JWT_KEYS_DIR:/etc/azaion/jwt-keys:ro" \
+    --volume "$DEPLOY_HOST_DP_KEYS_DIR:/var/lib/azaion/dp-keys" \
     "$IMAGE" >/dev/null
 
 log_info "Container ID: $(docker container inspect -f '{{.Id}}' "$DEPLOY_CONTAINER_NAME" | cut -c1-12)"