chore: update configuration and Docker setup for JWT and test results

Enhanced the .gitignore to exclude test results and updated the Dockerfile to include a new entrypoint script for improved container initialization. Refactored JWT configuration to support additional parameters for automatic refresh intervals, ensuring better control over token management. Updated the ConfigurationResolver to enforce required environment variables without hardcoded fallbacks, enhancing security and flexibility.

_docs/02_document/tests/resilience-tests.md

@@ -110,27 +110,29 @@
 
 ---
 
-### NFT-RES-05: DB unreachable at startup — process exits non-zero
+### NFT-RES-05: Required configuration missing → fail-fast at startup
 
-**Summary**: Verifies AC-6.7 — DB unreachability causes process exit, NOT silent retry-forever.
-**Traces to**: AC-6.7
+**Summary**: Verifies AC-6.1 / AC-6.2 / E3 — `Infrastructure/ConfigurationResolver.ResolveRequiredOrThrow` throws `InvalidOperationException` when any of the four required env vars (`DATABASE_URL`, `JWT_ISSUER`, `JWT_AUDIENCE`, `JWT_JWKS_URL`) is missing or whitespace-only. Also verifies AC-6.7 — DB unreachability (after config resolution succeeds) still causes process exit. The legacy "silent dev fallback boot" failure mode is structurally eliminated.
+**Traces to**: AC-6.1, AC-6.2, AC-6.7, E3, E4
 
 **Preconditions**:
-- `missions` NOT running
+- `missions` NOT running.
+- This scenario uses `docker run` outside the main compose to isolate env-var manipulation.
 
-**Fault injection**: stop `postgres-test` (`docker compose stop postgres-test`) then start `missions`.
-
-**Steps**:
+**Steps** (each row is a separate `docker run` invocation; each times out at 30s):
 
 | Step | Action | Expected Behavior |
 |------|--------|------------------|
-| 1 | `docker compose stop postgres-test` |  |
-| 2 | `docker compose up -d missions` |  |
-| 3 | Poll `docker inspect --format '{{.State.ExitCode}}' missions` every 1s for ≤ 30s | At some point within 30s, the container has exited with non-zero exit code |
-| 4 | `docker logs missions` | Contains an Npgsql connection error message (e.g., `Connection refused`) |
+| 1 | `docker run --rm azaion/missions:test` with ALL four required env vars unset | container exits non-zero within 5s; logs contain `InvalidOperationException`; logs mention at least one of the four required keys |
+| 2 | `docker run` with `DATABASE_URL` unset; the three JWT vars set correctly | same shape; logs mention `DATABASE_URL` or `Database:Url` |
+| 3 | `docker run` with `JWT_ISSUER=""` (whitespace-only); other three set | same shape; logs mention `JWT_ISSUER` or `Jwt:Issuer` |
+| 4 | `docker run` with `JWT_AUDIENCE` unset; others set | same shape; logs mention `JWT_AUDIENCE` or `Jwt:Audience` |
+| 5 | `docker run` with `JWT_JWKS_URL` unset; others set | same shape; logs mention `JWT_JWKS_URL` or `Jwt:JwksUrl` |
+| 6 | `docker compose stop postgres-test`, then start `missions` with all four env vars set correctly — config resolution succeeds, then DB-connect fails | container exits non-zero within 30s; logs contain a recognisable Npgsql connection error (e.g., `Connection refused`) — NOT an `InvalidOperationException` from the resolver (this differentiates "config missing" from "config valid but DB down") |
 
-**Pass criteria**: container exits with non-zero code within 30s; logs contain a recognisable Npgsql error.
-**Max execution time**: 60s.
+**Pass criteria**: rows 1–5 → fail-fast at config resolution; row 6 → fail at DB-connect AFTER config resolution succeeded.
+**Note**: this test now exercises BOTH the fail-fast resolver (rows 1–5) AND the DB-unreachable case (row 6). Pre-revision, only row 6 was tested under the assumption of hardcoded dev fallbacks.
+**Max execution time**: 180s (6 docker-run cycles).
 
 ---
 
@@ -158,30 +160,34 @@
 
 ---
 
-### NFT-RES-07: JWT_SECRET rotation invalidates existing tokens
+### NFT-RES-07: JWKS key rotation — no missions restart required
 
-**Summary**: Verifies AC-5.7 — restarting the service with a different `JWT_SECRET` causes previously-valid tokens to fail validation.
+**Summary**: Verifies AC-5.7 — rotating the signing key on `admin` (via `jwks-mock POST /rotate-key`) propagates to `missions` on the JWKS cache refresh tick **without restarting `missions`**. This is the primary operational win over the legacy shared-HMAC model, which required coordinated re-deploy across every backend on the device.
 **Traces to**: AC-5.7
 
 **Preconditions**:
-- `missions` running with `JWT_SECRET=test-secret-32-chars-min!!!!!!!!!`
-- Token `T1` minted with the same secret, valid for 1h
+- `missions` running with warm JWKS cache (any previous protected request succeeded).
+- `jwks-mock` running with `Cache-Control: max-age=60` and `OldKeyGraceSeconds=5`.
+- Token `T1` requested via `POST /sign` with the CURRENT `kid` (`kid_v1`), valid for 1h.
 
-**Fault injection**: restart `missions` with `JWT_SECRET=rotated-secret-32-chars-min!!!!!`.
+**Fault injection**: `POST https://jwks-mock:8443/rotate-key {}` — generates `kid_v2`, retains `kid_v1` in the JWKS for `OldKeyGraceSeconds`, then evicts `kid_v1`.
 
 **Steps**:
 
 | Step | Action | Expected Behavior |
 |------|--------|------------------|
-| 1 | `GET /vehicles` with `Authorization: Bearer T1` | `200` |
-| 2 | `docker compose stop missions` |  |
-| 3 | `docker compose run -e JWT_SECRET=rotated-secret-32-chars-min!!!!! -d missions` |  |
-| 4 | Wait for `GET /health` 200 |  |
-| 5 | `GET /vehicles` with `Authorization: Bearer T1` (same token as step 1) | `401` |
-| 6 | Mint token `T2` with the new secret, `GET /vehicles` with `T2` | `200` |
+| 1 | `GET /vehicles` with `Authorization: Bearer T1` | `200` (cached JWKS knows `kid_v1`) |
+| 2 | `POST https://jwks-mock:8443/rotate-key {}` → returns `kid_v2` | jwks-mock now publishes BOTH `kid_v1` and `kid_v2` in its JWKS for `OldKeyGraceSeconds=5` |
+| 3 | Immediately request token `T2` signed with `kid_v2` via `POST /sign {}` | mock returns JWT with header `kid: kid_v2` |
+| 4 | Immediately `GET /vehicles` with `Authorization: Bearer T2` (BEFORE `missions` JWKS cache refresh) | `401` (cache still only has `kid_v1`) |
+| 5 | Wait up to 90s for `missions`'s `ConfigurationManager<JsonWebKeySet>` to refresh against the new JWKS (the mock's `max-age=60` triggers a refresh on the next request after that interval) | — |
+| 6 | `GET /vehicles` with `Authorization: Bearer T2` again | `200` (cache now contains `kid_v2`) |
+| 7 | `GET /vehicles` with `Authorization: Bearer T1` (still has unexpired lifetime, signed with `kid_v1`) | `200` IF the JWKS refresh happened BEFORE the mock's `OldKeyGraceSeconds=5` window closed (the JWKS still had `kid_v1`); `401` AFTER the grace window when `missions` refreshes and `kid_v1` is no longer in the JWKS. Test asserts the eventual `401` |
+| 8 | Verify `missions` was NEVER restarted during this scenario (`docker inspect --format '{{.State.StartedAt}}' missions` is unchanged from before step 1) | startup timestamp unchanged |
 
-**Pass criteria**: `T1` works pre-rotation, fails post-rotation; `T2` works post-rotation.
-**Max execution time**: 90s.
+**Pass criteria**: rotation propagates without restart; `T2` (new kid) eventually accepted; `T1` (old kid) eventually rejected; `missions` startup timestamp unchanged.
+**Note**: this test replaces the pre-revision "shared-secret rotation requires coordinated redeploy" scenario. The pre-revision test asserted that ALL services on the device had to restart together; the post-revision test asserts the opposite — they do NOT have to restart.
+**Max execution time**: 180s (longest wait is the JWKS refresh tick).
 
 ---