Task 11: Smoke test fixes (all 5 scenarios pass)

TokenService.GenerateRefreshToken():
  - Switched to URL-safe Base64 (RFC 4648 §5): +→-, /→_, no = padding.
  - Characters are unreserved per RFC 6265, so Response.Cookies.Append
    does NOT percent-encode the value.  Request.Cookies reads back exact value.

AuthController:
  - CookieOptions.Secure = !env.IsDevelopment()
    Plain HTTP in local dev works; HTTPS-only in staging/production.
  - Inject IWebHostEnvironment for environment-aware Secure flag.

TokenServiceTests:
  - Updated GenerateRefreshToken test: 86-char URL-safe Base64 instead
    of 64-byte standard Base64.  16/16 tests pass.

Smoke test results (http://localhost:5209):
  1. POST /api/auth/login       → 200 + rolac_rt cookie + JWT
  2. POST /api/auth/refresh     → 200 + new token (rotation)
  3. POST /api/auth/logout      → 204 + cookie cleared
  4. Refresh with revoked token → 401
  5. Wrong password             → 401

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

API/ROLAC.API.Tests/Services/TokenServiceTests.cs

@@ -97,13 +97,17 @@ public class TokenServiceTests
     // ---------------------------------------------------------------------------
 
     [Fact]
-    public void GenerateRefreshToken_Returns64ByteBase64String()
+    public void GenerateRefreshToken_Returns86CharUrlSafeBase64()
     {
         var token = _sut.GenerateRefreshToken();
 
         Assert.NotEmpty(token);
-        var bytes = Convert.FromBase64String(token);
-        Assert.Equal(64, bytes.Length);
+        // 64 bytes → 88 standard Base64 chars → 86 URL-safe chars (no '==' padding,
+        // '+' → '-', '/' → '_').  All chars must be unreserved in RFC 6265 cookie-values.
+        Assert.Equal(86, token.Length);
+        Assert.True(
+            token.All(c => char.IsLetterOrDigit(c) || c == '-' || c == '_'),
+            "Token must use URL-safe Base64 alphabet (A-Z a-z 0-9 - _)");
     }
 
     [Fact]