Tasks 7-9: AuthController, appsettings, Program.cs

Task 7 – AuthController (POST /api/auth/login|refresh|logout)
  - Refresh token in HttpOnly; Secure; SameSite=Strict cookie (rolac_rt)
  - Cookie Path scoped to /api/auth; cleared on logout/invalid refresh

Task 8 – appsettings.json (non-secret JWT values + CORS origins)
  - appsettings.Development.json carries connection string + JWT secret
    (file is gitignored)

Task 9 – Program.cs wiring
  - EF Core + Npgsql, ASP.NET Core Identity, JWT Bearer auth
  - RoleClaimType=role matches the short JWT claim name written by TokenService
  - CORS: AllowCredentials for Angular app
  - Swagger UI with Bearer security definition
  - Startup: MigrateAsync + DbSeeder.SeedAsync (roles + dev admin)
  - DbSeeder: added SeedAsync(IServiceProvider) entry point

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

API/ROLAC.API/Data/DbSeeder.cs

@@ -37,6 +37,22 @@ public static class DbSeeder
         }
     }
 
+    /// <summary>
+    /// Seeds roles and (in Development) the default admin account.
+    /// Called once on application startup after migrations have been applied.
+    /// </summary>
+    public static async Task SeedAsync(IServiceProvider services)
+    {
+        var roleManager = services.GetRequiredService<RoleManager<AppRole>>();
+        var userManager = services.GetRequiredService<UserManager<AppUser>>();
+        var env         = services.GetRequiredService<IWebHostEnvironment>();
+
+        await SeedRolesAsync(roleManager);
+
+        if (env.IsDevelopment())
+            await SeedAdminUserAsync(userManager);
+    }
+
     /// <summary>
     /// Creates a super_admin test account for local development.
     /// DO NOT call this in production — remove or guard with IsDevelopment().