[AZ-487] fix: JWT factory + tests now pass on net8.0

- JwtTokenFactory.Create: negative `lifetime` produced Expires < NotBefore
  which `JwtSecurityToken` rejects at construction time. Shift NotBefore
  behind Expires whenever the requested lifetime is non-positive so the
  expired-token fixture round-trips and lifetime validation can fire.
- JwtTokenFactoryTests: validate against a handler with
  `MapInboundClaims = false` so assertions read the factory's own claim
  names ("sub", "email", "permissions") rather than the .NET-default
  remapped ClaimTypes.* aliases.

These were latent — masked by the CS0104 build break fixed in 753be43.

Co-authored-by: Cursor <cursoragent@cursor.com>

SatelliteProvider.Tests/TestUtilities/JwtTokenFactory.cs

@@ -24,6 +24,11 @@ public static class JwtTokenFactory
 
         var now = DateTime.UtcNow;
         var expires = now.Add(lifetime ?? TimeSpan.FromHours(1));
+        // JwtSecurityToken rejects Expires <= NotBefore. For negative
+        // lifetimes (expired-token test fixture) shift NotBefore behind
+        // Expires so the constructor accepts the token and lifetime
+        // validation can fire downstream.
+        var notBefore = expires <= now ? expires.AddMinutes(-5) : now;
 
         var claims = new List<Claim>
         {
@@ -40,7 +45,7 @@ public static class JwtTokenFactory
             issuer: null,
             audience: null,
             claims: claims,
-            notBefore: now,
+            notBefore: notBefore,
             expires: expires,
             signingCredentials: credentials);