[AZ-581] [AZ-582] [AZ-583] [AZ-584] Sec+Res NFT tests

Batch 3 of test implementation cycle 1 (existing-code Step 6).

- AZ-581 AuthClaimsTests: NFT-SEC-01..06+04b (foreign-keypair, byte-flip,
  30s skew, iss/aud/perms, multi-value permissions array).
- AZ-582 CrossCutting/ErrorRedaction/JwksRotation/StartupConfig/CorsConfig:
  NFT-SEC-07..13 (alg pin, kid rotation grace window, env fail-fast, CORS
  Production gate).
- AZ-583 CascadeF3/CascadeF4/MigratorRestart: NFT-RES-01..04. CascadeF4
  pins current walk-order divergence with carry_forward AC-4.6.
- AZ-584 ConfigDbStartup/JwksRotationNoRestart/DefaultVehicleRace:
  NFT-RES-05..08. NFT-RES-08 pins current behaviour (unique-index closes
  the race) with carry_forward AC-1.4.

Mock contract: SignBody accepts permissions OR permissions_array (mutually
exclusive). TokenSigner validates kid_override against published keys so
NFT-SEC-11 can assert "mock refuses old kid post-grace".

Helpers added: ForeignKeypair (test-only ECDSA P-256),
MissionsContainerHelper (docker-run wrapper for startup-time scenarios),
DockerLogs.

7 of 22 new tests are Skippable, gated on COMPOSE_RESTART_ENABLED + docker
CLI in the e2e-consumer image (explicit skip reason; no silent pass).

Build green: test csproj + jwks-mock csproj.

Co-authored-by: Cursor <cursoragent@cursor.com>

tests/Azaion.Missions.E2E.Tests/Helpers/ForeignKeypair.cs

@@ -0,0 +1,70 @@
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+using System.Text.Json.Nodes;
+
+namespace Azaion.Missions.E2E.Helpers;
+
+/// <summary>
+/// Test-only ECDSA P-256 signer used by NFT-SEC-02 to mint a token signed by
+/// a keypair the JWKS endpoint never published. This is the ONE in-test
+/// signing path allowed by the task spec — every other test mints via the
+/// jwks-mock <c>POST /sign</c> endpoint.
+/// </summary>
+/// <remarks>
+/// The private key lives entirely in the test process and is disposed with
+/// the helper. The wire shape mirrors <c>JwksMock.TokenSigner</c> (JWS-compact
+/// ES256) so the only thing that differs from a "real" mock-minted token is
+/// the signing key — defeating any IssuerSigningKeyResolver that fails to
+/// match <c>kid</c> against the published JWKS.
+/// </remarks>
+public sealed class ForeignKeypair : IDisposable
+{
+    private readonly ECDsa _ec;
+    private readonly string _kid;
+
+    public ForeignKeypair()
+    {
+        _ec = ECDsa.Create(ECCurve.NamedCurves.nistP256);
+        // Deterministic kid that is clearly NOT what jwks-mock issues
+        // (mock kids are base64url SHA-256 hashes; this label is plain ASCII).
+        _kid = "foreign-keypair-not-in-jwks";
+    }
+
+    public string Mint(string issuer, string audience, string permissions, int expOffsetSeconds = 3600)
+    {
+        var nowUnix = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
+        var expUnix = nowUnix + expOffsetSeconds;
+
+        var header = new JsonObject
+        {
+            ["alg"] = "ES256",
+            ["kid"] = _kid,
+            ["typ"] = "JWT"
+        };
+        var payload = new JsonObject
+        {
+            ["iss"] = issuer,
+            ["aud"] = audience,
+            ["iat"] = nowUnix,
+            ["exp"] = expUnix,
+            ["permissions"] = permissions
+        };
+
+        var headerSeg = Base64UrlEncode(JsonSerializer.SerializeToUtf8Bytes(header));
+        var payloadSeg = Base64UrlEncode(JsonSerializer.SerializeToUtf8Bytes(payload));
+        var signingInput = Encoding.ASCII.GetBytes($"{headerSeg}.{payloadSeg}");
+        var signature = _ec.SignData(signingInput, HashAlgorithmName.SHA256,
+            DSASignatureFormat.IeeeP1363FixedFieldConcatenation);
+        var sigSeg = Base64UrlEncode(signature);
+        return $"{headerSeg}.{payloadSeg}.{sigSeg}";
+    }
+
+    public void Dispose() => _ec.Dispose();
+
+    private static string Base64UrlEncode(ReadOnlySpan<byte> bytes)
+    {
+        var b64 = Convert.ToBase64String(bytes);
+        return b64.Replace('+', '-').Replace('/', '_').TrimEnd('=');
+    }
+}