[AZ-487] JWT validation baseline (HS256, all endpoints)

Adds Microsoft.AspNetCore.Authentication.JwtBearer 8.0.21 and the
SatelliteProvider.Api.Authentication.AddSatelliteJwt extension that
validates HS256 tokens against a shared JWT_SECRET (>=32 bytes, fail
fast at startup). Every minimal-API endpoint now carries
.RequireAuthorization(); the middleware chain is UseExceptionHandler ->
UseHttpsRedirection -> UseCors -> UseAuthentication -> UseAuthorization
-> endpoints. Swagger UI gets a Bearer security definition so the
Authorize button works.

Test infrastructure: JwtTokenFactory (unit) and JwtTestHelpers
(integration) mint deterministic tokens against the same secret; the
integration test runner attaches a default Bearer token to its shared
HttpClient so existing tests continue to exercise protected endpoints.
JwtIntegrationTests adds AC-1..AC-4 and AC-7 (Swagger advertises
Bearer) end-to-end; AuthenticationServiceCollectionExtensionsTests
covers AC-5 (missing/empty/short secret fail-fast) plus env-var
precedence; JwtTokenFactoryTests covers AC-6 (claims pass through
the JwtSecurityTokenHandler.ValidateToken path JwtBearer uses).

docker-compose and scripts/run-tests.sh now propagate JWT_SECRET to
the api and integration-tests containers, with a >=32-byte guard.
.env.example documents the required keys; .env stays gitignored.

Code review verdict: PASS_WITH_WARNINGS (2 Low findings surfaced
in _docs/03_implementation/reviews/batch_01_cycle2_review.md).

Cross-component coordination: gps-denied-onboard and the mission
planner UI must attach Bearer tokens before this lands in dev.

Co-authored-by: Cursor <cursoragent@cursor.com>

SatelliteProvider.Tests/TestUtilities/JwtTokenFactory.cs

@@ -0,0 +1,76 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
+using Microsoft.IdentityModel.Tokens;
+
+namespace SatelliteProvider.Tests.TestUtilities;
+
+public static class JwtTokenFactory
+{
+    public const string DefaultSubject = "test-user";
+
+    public static string Create(
+        string secret,
+        string subject = DefaultSubject,
+        TimeSpan? lifetime = null,
+        IEnumerable<Claim>? extraClaims = null,
+        string algorithm = SecurityAlgorithms.HmacSha256)
+    {
+        ArgumentNullException.ThrowIfNull(secret);
+
+        var keyBytes = Encoding.UTF8.GetBytes(secret);
+        var signingKey = new SymmetricSecurityKey(keyBytes);
+        var credentials = new SigningCredentials(signingKey, algorithm);
+
+        var now = DateTime.UtcNow;
+        var expires = now.Add(lifetime ?? TimeSpan.FromHours(1));
+
+        var claims = new List<Claim>
+        {
+            new(JwtRegisteredClaimNames.Sub, subject),
+            new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("N"))
+        };
+
+        if (extraClaims is not null)
+        {
+            claims.AddRange(extraClaims);
+        }
+
+        var token = new JwtSecurityToken(
+            issuer: null,
+            audience: null,
+            claims: claims,
+            notBefore: now,
+            expires: expires,
+            signingCredentials: credentials);
+
+        return new JwtSecurityTokenHandler().WriteToken(token);
+    }
+
+    public static string CreateExpired(string secret, string subject = DefaultSubject)
+    {
+        return Create(secret, subject, lifetime: TimeSpan.FromMinutes(-5));
+    }
+
+    public static string TamperSignature(string token)
+    {
+        ArgumentException.ThrowIfNullOrEmpty(token);
+
+        var parts = token.Split('.');
+        if (parts.Length != 3)
+        {
+            throw new ArgumentException("JWT must have three dot-separated parts.", nameof(token));
+        }
+
+        var signature = parts[2];
+        if (signature.Length == 0)
+        {
+            throw new ArgumentException("JWT signature segment is empty.", nameof(token));
+        }
+
+        var firstChar = signature[0];
+        var replacement = firstChar == 'A' ? 'B' : 'A';
+        parts[2] = replacement + signature[1..];
+        return string.Join('.', parts);
+    }
+}