docs+src: complete Steps 1-3 outcomes + auth re-sync baseline

This commit captures everything produced during autodev existing-code
Steps 1 (Document), 2 (Architecture Baseline Scan), and 3 (Test Spec),
together with the targeted auth + CORS re-sync triggered on 2026-05-14
when codebase drift was detected at Step 4 entry. None of this work was
previously committed.

Step 1 (Document) — 50+ _docs/02_document/ files: problem, solution,
architecture, system flows, glossary, module-layout, per-component
specs (01..06), modules, deployment, diagrams, data model, FINAL
report, verification log, discovery.

Step 2 (Architecture Baseline) — architecture_compliance_baseline.md.
Verdict PASS_WITH_WARNINGS (0 Critical, 0 High, 1 Medium, 2 Low). No
High/Critical findings; auto-chained to Step 3 per existing-code flow.

Step 3 (Test Spec) — _docs/02_document/tests/* (67 scenarios across
blackbox, security, resilience, resource-limit, performance), plus
e2e/docker-compose.test.yml, e2e/seed/run.sh, scripts/run-tests.sh,
scripts/run-performance-tests.sh. Coverage 88% over the active scope
(40 of 45 items covered, 6 RB-deferred, 5 documented-as-uncovered).

Targeted auth + CORS re-sync — replaces the deleted in-house token
issuer with a JWKS-verifier model. AuthController and TokenService
removed; JwtExtensions switched from HS256 symmetric to ES256 over
admin's JWKS. ConfigurationResolver and CorsConfigurationValidator
added under src/Infrastructure/. ADR-002 and ADR-006 retired; SEC-01,
SEC-02, SEC-03 marked Closed. One new testability risk recorded in
architecture.md Open Risks Section 6 (JWKS HTTPS gating).

Source changes:
- src/Auth/JwtExtensions.cs (modified) — ES256, JWKS, alg pinning
- src/Program.cs (modified) — DI wiring for ConfigurationResolver
  and CorsConfigurationValidator
- src/Controllers/AuthController.cs (deleted) — no in-service issuance
- src/Services/TokenService.cs (deleted) — same
- src/Infrastructure/ConfigurationResolver.cs (new)
- src/Infrastructure/CorsConfigurationValidator.cs (new)
- .env.example (new) — required env var documentation
- .gitignore (updated)

Cross-repo coordination: _docs/cross-repo/flights_h1_h2_h3_change_spec
captures the change-spec for downstream services that consumed the now
deleted /auth endpoints.

Co-authored-by: Cursor <cursoragent@cursor.com>

_docs/02_document/diagrams/flows/flow_failsafe_drain.md

@@ -0,0 +1,52 @@
+# Flow F4 — Failsafe Outbox Drain → RabbitMQ Stream
+
+Cross-reference: `system-flows.md` → Flow F4.
+
+## Sequence
+
+```mermaid
+sequenceDiagram
+    autonumber
+    participant FP as FailsafeProducer (02, IHostedService)
+    participant DB
+    participant Path as PathResolver (06)
+    participant FS as Filesystem
+    participant RMQ as RabbitMQ Stream "azaion-annotations"
+
+    loop while host running
+        FP->>DB: SELECT FROM annotations_queue_records
+        DB-->>FP: pending rows (operation, annotation_ids JSON)
+        loop per row
+            alt operation = Created
+                FP->>Path: GetImagePath(annotationId)
+                FP->>FS: read bytes
+            end
+            FP->>FP: serialize MessagePack (Annotation*QueueMessage)
+            FP->>RMQ: publish stream entry
+            alt publish ok
+                FP->>DB: DELETE annotations_queue_records WHERE id = :id
+            else stream unavailable
+                FP->>FP: log + backoff
+            end
+        end
+    end
+```
+
+## State
+
+```mermaid
+stateDiagram-v2
+    [*] --> Idle
+    Idle --> Draining: queue rows present
+    Draining --> Publishing: row picked
+    Publishing --> Acked: stream publish ok
+    Acked --> Idle: row deleted
+    Publishing --> Backoff: stream unavailable
+    Backoff --> Idle: backoff elapsed
+```
+
+## Notes
+
+- See ADR-003 in `architecture.md` for rationale.
+- Multi-instance drain: no leasing in DB → duplicate stream entries possible. Suite consumer contract should dedupe.
+- Bulk message (`AnnotationBulkQueueMessage`) carries multiple annotation ids; `Created` semantics on bulk are out of scope here — confirm during Step 4 verification.