[AZ-487] fix: integration-test JWT factory handles negative lifetime

Same fix as f64d0d7 applied to the integration tests' own copy of the
JWT mint helper. MintExpiredToken passes a negative lifetime which made
Expires < NotBefore and the JwtSecurityToken constructor rejected the
token before it could exercise lifetime-validation. Shift NotBefore
behind Expires for non-positive lifetimes.

Co-authored-by: Cursor <cursoragent@cursor.com>

SatelliteProvider.IntegrationTests/JwtTestHelpers.cs

@@ -39,6 +39,10 @@ public static class JwtTestHelpers
         var credentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
 
         var now = DateTime.UtcNow;
+        var expires = now.Add(lifetime ?? TimeSpan.FromHours(1));
+        // JwtSecurityToken rejects Expires <= NotBefore. Shift NotBefore
+        // behind Expires for the expired-token test fixture.
+        var notBefore = expires <= now ? expires.AddMinutes(-5) : now;
         var claims = new List<Claim>
         {
             new(JwtRegisteredClaimNames.Sub, subject),
@@ -53,8 +57,8 @@ public static class JwtTestHelpers
             issuer: null,
             audience: null,
             claims: claims,
-            notBefore: now,
-            expires: now.Add(lifetime ?? TimeSpan.FromHours(1)),
+            notBefore: notBefore,
+            expires: expires,
             signingCredentials: credentials);
 
         return new JwtSecurityTokenHandler().WriteToken(token);