[AZ-491] Cycle 3 batch 2: consolidate JWT test-mint helpers into TestSupport

AZ-491 (3 SP): eliminate the cycle-2 duplicate of JWT-minting logic
that existed in both SatelliteProvider.Tests/TestUtilities/
JwtTokenFactory.cs (unit-side) and SatelliteProvider.IntegrationTests/
JwtTestHelpers.cs (integration-side), where the same Expires <
NotBefore bug needed parallel fixes in commits f64d0d7 + 11b7074.

Option A chosen: new SatelliteProvider.TestSupport class library
(no test framework) holds the canonical JwtTokenFactory.Create /
CreateExpired / TamperSignature. Both Tests and IntegrationTests
consume it via ProjectReference; production projects (Api, Common,
DataAccess, Services.*) cannot depend on it. The notBefore-shift
workaround is preserved with an inline regression-prevention comment
back-referencing the cycle-2 fix commits.

SatelliteProvider.IntegrationTests/JwtTestHelpers.cs is stripped to
runner-only concerns: ResolveSecretOrThrow, AttachDefaultAuthorization,
and the DefaultSubject = "integration-tests" constant. Call sites in
Program.cs, JwtIntegrationTests.cs, and UavUploadTests.cs (10 sites)
switched to JwtTokenFactory.* with JwtTestHelpers.DefaultSubject
explicitly passed for the runner subject - behavior parity preserved.

Dockerfile for IntegrationTests gets the new TestSupport csproj
in its pre-restore COPY layer. Api Dockerfile unchanged (TestSupport
is NOT a production dependency).

A new code-review SKILL.md Phase 6 checklist row flags near-identical
helper logic across test projects as a Medium / Maintainability
finding with explicit cycle-2 retro back-reference, so this whole
pattern stops at one occurrence.

module-layout.md adds a TestSupport Shared/Cross-Cutting entry
documenting the production-isolation invariant. tests_unit.md +
tests_integration.md updated to describe the consolidated layout.
sln updated.

Test-suite gate (AC-2 + AC-3) deferred to Step 16 Final Test Run
per implement-skill convention. Per-batch review verdict:
PASS_WITH_WARNINGS with 1 Low (pre-existing 7.0.3 version pin
preserved verbatim from cycle-2 IntegrationTests csproj for parity;
not blocking; deferred bump).

Co-authored-by: Cursor <cursoragent@cursor.com>

SatelliteProvider.IntegrationTests/JwtTestHelpers.cs

@@ -1,8 +1,5 @@
-using System.IdentityModel.Tokens.Jwt;
 using System.Net.Http.Headers;
-using System.Security.Claims;
 using System.Text;
-using Microsoft.IdentityModel.Tokens;
 
 namespace SatelliteProvider.IntegrationTests;
 
@@ -31,58 +28,6 @@ public static class JwtTestHelpers
         return secret;
     }
 
-    public static string MintValidToken(string secret, string subject = DefaultSubject, TimeSpan? lifetime = null, IEnumerable<Claim>? extraClaims = null)
-    {
-        ArgumentNullException.ThrowIfNull(secret);
-
-        var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret));
-        var credentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
-
-        var now = DateTime.UtcNow;
-        var expires = now.Add(lifetime ?? TimeSpan.FromHours(1));
-        // JwtSecurityToken rejects Expires <= NotBefore. Shift NotBefore
-        // behind Expires for the expired-token test fixture.
-        var notBefore = expires <= now ? expires.AddMinutes(-5) : now;
-        var claims = new List<Claim>
-        {
-            new(JwtRegisteredClaimNames.Sub, subject),
-            new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("N"))
-        };
-        if (extraClaims is not null)
-        {
-            claims.AddRange(extraClaims);
-        }
-
-        var token = new JwtSecurityToken(
-            issuer: null,
-            audience: null,
-            claims: claims,
-            notBefore: notBefore,
-            expires: expires,
-            signingCredentials: credentials);
-
-        return new JwtSecurityTokenHandler().WriteToken(token);
-    }
-
-    public static string MintExpiredToken(string secret, string subject = DefaultSubject)
-    {
-        return MintValidToken(secret, subject, lifetime: TimeSpan.FromMinutes(-10));
-    }
-
-    public static string TamperSignature(string token)
-    {
-        var parts = token.Split('.');
-        if (parts.Length != 3)
-        {
-            throw new ArgumentException("JWT must have three dot-separated segments.", nameof(token));
-        }
-
-        var signature = parts[2];
-        var firstChar = signature[0];
-        parts[2] = (firstChar == 'A' ? 'B' : 'A') + signature[1..];
-        return string.Join('.', parts);
-    }
-
     public static void AttachDefaultAuthorization(HttpClient httpClient, string token)
     {
         httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);