[AZ-494] Enable JWT iss/aud validation with fail-fast startup

Option B per user decision: production ships with empty Jwt.Issuer /
Jwt.Audience in appsettings.json so the API process refuses to start
unless JWT_ISSUER + JWT_AUDIENCE env vars are supplied. Development
ships with grep-friendly DEV-ONLY- placeholders so local + docker
flows keep working unchanged.

AuthenticationServiceCollectionExtensions flips ValidateIssuer +
ValidateAudience to true and wires ValidIssuer / ValidAudience via a
new ResolveRequiredOrThrow helper that all three required values
(secret, iss, aud) now share. JwtTokenFactory.Create + CreateExpired
gain optional iss / aud parameters (default null) so existing call
sites compile unchanged. JwtTestHelpers adds MintAuthenticated /
MintExpired wrappers that resolve iss + aud from env, plus
ResolveIssuerOrThrow / ResolveAudienceOrThrow. PerfBootstrap.MintToken
+ Program.cs JWT bootstrap migrated to the new surface so the perf
harness and the integration runner both validate against the same
contract.

Adds 4 fail-fast unit tests (missing/empty issuer + audience), 2
negative integration scenarios (WrongIssuer_Returns401,
WrongAudience_Returns401), and re-tags every existing integration
mint site via MintAuthenticated.

Compose, .env.example, run-tests.sh, run-performance-tests.sh all
load + export JWT_ISSUER + JWT_AUDIENCE alongside JWT_SECRET.

Resolves F-AUTH-2 (security_report.md + owasp_review.md). AC-7
(cross-repo suite/_docs/10_auth.md write) deferred — outside this
workspace; tracked in deploy_cycle2.md R3 follow-up.

Co-authored-by: Cursor <cursoragent@cursor.com>

SatelliteProvider.Api/Authentication/AuthenticationServiceCollectionExtensions.cs

@@ -8,6 +8,10 @@ public static class AuthenticationServiceCollectionExtensions
 {
     public const string JwtSecretEnvVar = "JWT_SECRET";
     public const string JwtSecretConfigKey = "Jwt:Secret";
+    public const string JwtIssuerEnvVar = "JWT_ISSUER";
+    public const string JwtIssuerConfigKey = "Jwt:Issuer";
+    public const string JwtAudienceEnvVar = "JWT_AUDIENCE";
+    public const string JwtAudienceConfigKey = "Jwt:Audience";
     public const int MinSecretByteLength = 32;
 
     public static IServiceCollection AddSatelliteJwt(this IServiceCollection services, IConfiguration configuration)
@@ -16,6 +20,8 @@ public static class AuthenticationServiceCollectionExtensions
         ArgumentNullException.ThrowIfNull(configuration);
 
         var secret = ResolveSecretOrThrow(configuration);
+        var issuer = ResolveRequiredOrThrow(configuration, JwtIssuerEnvVar, JwtIssuerConfigKey, "JWT issuer");
+        var audience = ResolveRequiredOrThrow(configuration, JwtAudienceEnvVar, JwtAudienceConfigKey, "JWT audience");
         var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret));
 
         services
@@ -28,8 +34,10 @@ public static class AuthenticationServiceCollectionExtensions
                     IssuerSigningKey = signingKey,
                     ValidateLifetime = true,
                     ClockSkew = TimeSpan.FromSeconds(30),
-                    ValidateIssuer = false,
-                    ValidateAudience = false,
+                    ValidateIssuer = true,
+                    ValidIssuer = issuer,
+                    ValidateAudience = true,
+                    ValidAudience = audience,
                     RequireSignedTokens = true,
                     RequireExpirationTime = true
                 };
@@ -63,4 +71,26 @@ public static class AuthenticationServiceCollectionExtensions
 
         return secret;
     }
+
+    // AZ-494: required non-secret config (iss / aud). Fail-fast contract mirrors
+    // JWT_SECRET — missing or whitespace-only values throw at startup so a
+    // production deploy without the operator-confirmed values cannot silently
+    // accept tokens with arbitrary issuer/audience claims.
+    internal static string ResolveRequiredOrThrow(IConfiguration configuration, string envVar, string configKey, string humanLabel)
+    {
+        var value = Environment.GetEnvironmentVariable(envVar);
+        if (string.IsNullOrWhiteSpace(value))
+        {
+            value = configuration[configKey];
+        }
+
+        if (string.IsNullOrWhiteSpace(value))
+        {
+            throw new InvalidOperationException(
+                $"{humanLabel} is not configured. Set the {envVar} environment variable " +
+                $"or the {configKey} configuration key. (See AZ-494 task spec.)");
+        }
+
+        return value;
+    }
 }