Private JWK files were written under the default umask (observed 0664 — group
and world readable). Create the key directory 0700, chmod private key files
(private_jwks.json, token_jwks.json) to 0600 after they are written, and
refuse to start if a pre-existing private key is group/world accessible.
Tests now use an isolated per-test key directory.
Refs: porchlight-91i
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
session_secret defaulted to a random per-process value, which silently
invalidates all sessions on restart and rotates the management client secret.
Add _resolve_session_secret(): use the configured secret; allow a generated
one only in debug or for a localhost issuer; otherwise fail startup. The
management client secret is now tied to the resolved session secret.
Refs: porchlight-wvx
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
