[AZ-494] Enable JWT iss/aud validation with fail-fast startup

Option B per user decision: production ships with empty Jwt.Issuer /
Jwt.Audience in appsettings.json so the API process refuses to start
unless JWT_ISSUER + JWT_AUDIENCE env vars are supplied. Development
ships with grep-friendly DEV-ONLY- placeholders so local + docker
flows keep working unchanged.

AuthenticationServiceCollectionExtensions flips ValidateIssuer +
ValidateAudience to true and wires ValidIssuer / ValidAudience via a
new ResolveRequiredOrThrow helper that all three required values
(secret, iss, aud) now share. JwtTokenFactory.Create + CreateExpired
gain optional iss / aud parameters (default null) so existing call
sites compile unchanged. JwtTestHelpers adds MintAuthenticated /
MintExpired wrappers that resolve iss + aud from env, plus
ResolveIssuerOrThrow / ResolveAudienceOrThrow. PerfBootstrap.MintToken
+ Program.cs JWT bootstrap migrated to the new surface so the perf
harness and the integration runner both validate against the same
contract.

Adds 4 fail-fast unit tests (missing/empty issuer + audience), 2
negative integration scenarios (WrongIssuer_Returns401,
WrongAudience_Returns401), and re-tags every existing integration
mint site via MintAuthenticated.

Compose, .env.example, run-tests.sh, run-performance-tests.sh all
load + export JWT_ISSUER + JWT_AUDIENCE alongside JWT_SECRET.

Resolves F-AUTH-2 (security_report.md + owasp_review.md). AC-7
(cross-repo suite/_docs/10_auth.md write) deferred — outside this
workspace; tracked in deploy_cycle2.md R3 follow-up.

Co-authored-by: Cursor <cursoragent@cursor.com>

scripts/run-performance-tests.sh

@@ -36,8 +36,9 @@ echo ""
 PASS=0
 FAIL=0
 
-# Load JWT_SECRET from .env if not already exported (mirrors run-tests.sh).
-if [[ -z "${JWT_SECRET:-}" ]] && [[ -f "$PROJECT_ROOT/.env" ]]; then
+# Load JWT_SECRET / JWT_ISSUER / JWT_AUDIENCE from .env if not already exported
+# (mirrors run-tests.sh). AZ-494: iss + aud are now required.
+if { [[ -z "${JWT_SECRET:-}" ]] || [[ -z "${JWT_ISSUER:-}" ]] || [[ -z "${JWT_AUDIENCE:-}" ]]; } && [[ -f "$PROJECT_ROOT/.env" ]]; then
     set -o allexport
     # shellcheck disable=SC1091
     source "$PROJECT_ROOT/.env"
@@ -70,7 +71,16 @@ if [[ -z "${PERF_JWT_TOKEN:-}" ]]; then
         exit 3
     fi
 
-    export JWT_SECRET
+    if [[ -z "${JWT_ISSUER:-}" ]]; then
+        echo "ERROR: JWT_ISSUER is not set (AZ-494). Export it or add to .env so the minted token's iss matches the API."
+        exit 3
+    fi
+    if [[ -z "${JWT_AUDIENCE:-}" ]]; then
+        echo "ERROR: JWT_AUDIENCE is not set (AZ-494). Export it or add to .env so the minted token's aud matches the API."
+        exit 3
+    fi
+
+    export JWT_SECRET JWT_ISSUER JWT_AUDIENCE
     echo "Minting perf JWT via SatelliteProvider.IntegrationTests --mint-only..."
     if ! PERF_JWT_TOKEN=$(dotnet "$PERF_DLL" --mint-only); then
         echo "ERROR: --mint-only invocation failed (see stderr above)"

scripts/run-tests.sh

@@ -28,6 +28,10 @@ Environment:
   JWT_SECRET           Required for any integration test mode. Shared HMAC secret used by the
                        API and the integration test runner; must be at least 32 bytes (UTF-8).
                        Loaded from .env or shell env.
+  JWT_ISSUER           Required for any integration test mode (AZ-494). Must match the value
+                       the API container validates. May be a DEV-ONLY value for local runs.
+  JWT_AUDIENCE         Required for any integration test mode (AZ-494). Same contract as
+                       JWT_ISSUER — must match what the API container validates.
 EOF
 }
 
@@ -73,7 +77,7 @@ if [[ "$mode" == "unit" ]]; then
     exit 0
 fi
 
-if { [[ -z "${GOOGLE_MAPS_API_KEY:-}" ]] || [[ -z "${JWT_SECRET:-}" ]]; } && [[ -f "$PROJECT_ROOT/.env" ]]; then
+if { [[ -z "${GOOGLE_MAPS_API_KEY:-}" ]] || [[ -z "${JWT_SECRET:-}" ]] || [[ -z "${JWT_ISSUER:-}" ]] || [[ -z "${JWT_AUDIENCE:-}" ]]; } && [[ -f "$PROJECT_ROOT/.env" ]]; then
     set -o allexport
     # shellcheck disable=SC1091
     source "$PROJECT_ROOT/.env"
@@ -97,6 +101,17 @@ if (( jwt_secret_bytes < 32 )); then
 fi
 export JWT_SECRET
 
+if [[ -z "${JWT_ISSUER:-}" ]]; then
+    echo "ERROR: JWT_ISSUER is not set (export it or add to .env). API + integration tests require it (AZ-494)."
+    exit 3
+fi
+if [[ -z "${JWT_AUDIENCE:-}" ]]; then
+    echo "ERROR: JWT_AUDIENCE is not set (export it or add to .env). API + integration tests require it (AZ-494)."
+    exit 3
+fi
+export JWT_ISSUER
+export JWT_AUDIENCE
+
 echo "Step 1: Unit tests"
 docker run --rm -v "$PROJECT_ROOT:/src" -w /src mcr.microsoft.com/dotnet/sdk:8.0 \
     sh -c "dotnet restore SatelliteProvider.sln && dotnet test SatelliteProvider.Tests/SatelliteProvider.Tests.csproj --no-restore --configuration Release --collect:'XPlat Code Coverage' --results-directory /src/TestResults --logger 'console;verbosity=normal'"