[AZ-576] Add e2e test infrastructure (xUnit + jwks-mock + reporting)

Scaffold the blackbox test project the rest of epic AZ-575 (AZ-577..AZ-586)
will build on. Two new csprojs under tests/, plus the TLS materials and
TRX->CSV reporting hand-off the existing docker-compose.test.yml already
calls for.

JWKS mock (tests/Azaion.Missions.JwksMock/):
- ASP.NET Core minimal API on .NET 10, no NuGet deps; JWS is hand-rolled
  to keep the surface tight and avoid version drift with the SUT
- KeyStore with one in-memory ECDSA P-256 keypair + retired-key grace
  window for NFT-RES-07 / NFT-SEC-11 rotation observability
- Endpoints: GET /.well-known/jwks.json, POST /sign, POST /rotate-key
- Mock-only alg_override / kid_override switches drive NFT-SEC-09/10/11
- TLS keypair committed under tls/; tests/jwks-mock-ca.crt is a copy
  mounted into both missions and e2e-consumer per docker-compose.test.yml

E2E consumer (tests/Azaion.Missions.E2E.Tests/):
- xUnit 2.9.2 + Bogus 35.6.1 + Npgsql 10.0.2 + Xunit.SkippableFact 1.4.13
- TestBase / TokenMinter scaffolding for downstream tasks
- Fixtures/ for DbReset, DbSeed, ComposeRestart, JwksRotate, JwksMockReverse
- Helpers/ for DbAssertions (side-channel), HttpAssertions, FixtureSql
- 8 Tests/<category>/Sanity.cs discovery smoke tests (AC-3)
- Tests/InfrastructureSanity.cs SkippableFacts for AC-1/2/5/6
- Tests/AaaPatternEnforcement.cs greps source files for AC-7
- Tests/Reporting/TrxToCsvPostProcessorTests.cs covers AC-4
- Reporting/TrxToCsvPostProcessor.cs handles VSTest TRX -> environment.md
  CSV; xUnit traits are not propagated by the TRX logger so the converter
  reflects them out of the test DLL via GetCustomAttributesData
- Reporting.Cli/ is a separate console csproj that links the converter
  source files (test project excludes Reporting.Cli/** from compile)
- Dockerfile + entrypoint.sh wire dotnet test -> trx -> csv inside the
  e2e-consumer container the compose file already references

Local verification: 13 pass, 3 skip (with explicit reasons), 0 fail.
End-to-end TRX->CSV manually verified against environment.md header spec.
Docker stack build is handed off to autodev Step 7 (test-run skill).

Reports under _docs/03_implementation/.
AZ-576 task spec moved to _docs/tasks/done/.

Co-authored-by: Cursor <cursoragent@cursor.com>

tests/Azaion.Missions.JwksMock/Endpoints/JwksEndpoint.cs

@@ -0,0 +1,48 @@
+using System.Security.Cryptography;
+using System.Text.Json.Nodes;
+using Azaion.Missions.JwksMock.Services;
+
+namespace Azaion.Missions.JwksMock.Endpoints;
+
+public static class JwksEndpoint
+{
+    /// <summary>
+    /// <c>GET /.well-known/jwks.json</c>. Mirrors the shape the production
+    /// admin issuer publishes — JsonWebKey 'kty=EC, crv=P-256, alg=ES256,
+    /// use=sig' with base64url x/y coordinates.
+    /// </summary>
+    public static IResult Handle(KeyStore keys)
+    {
+        var keysArray = new JsonArray();
+        foreach (var key in keys.PublishedKeys())
+        {
+            var p = key.Ec.ExportParameters(includePrivateParameters: false);
+            keysArray.Add(new JsonObject
+            {
+                ["kty"] = "EC",
+                ["use"] = "sig",
+                ["alg"] = "ES256",
+                ["crv"] = "P-256",
+                ["kid"] = key.Kid,
+                ["x"] = Base64Url.Encode(p.Q.X!),
+                ["y"] = Base64Url.Encode(p.Q.Y!)
+            });
+        }
+
+        var doc = new JsonObject { ["keys"] = keysArray };
+        return Results.Json(doc, statusCode: 200, contentType: "application/json")
+                      .WithCacheControl("public, max-age=60");
+    }
+
+    private static IResult WithCacheControl(this IResult result, string value) =>
+        new CacheControlResult(result, value);
+
+    private sealed class CacheControlResult(IResult inner, string cacheControl) : IResult
+    {
+        public Task ExecuteAsync(HttpContext httpContext)
+        {
+            httpContext.Response.Headers.CacheControl = cacheControl;
+            return inner.ExecuteAsync(httpContext);
+        }
+    }
+}