Adds IFileStorage abstraction and LocalDiskFileStorage for receipt file storage with path-traversal protection, and registers it in DI. Includes 3 TDD-verified xUnit tests. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Task 7 – AuthController (POST /api/auth/login|refresh|logout) - Refresh token in HttpOnly; Secure; SameSite=Strict cookie (rolac_rt) - Cookie Path scoped to /api/auth; cleared on logout/invalid refresh Task 8 – appsettings.json (non-secret JWT values + CORS origins) - appsettings.Development.json carries connection string + JWT secret (file is gitignored) Task 9 – Program.cs wiring - EF Core + Npgsql, ASP.NET Core Identity, JWT Bearer auth - RoleClaimType=role matches the short JWT claim name written by TokenService - CORS: AllowCredentials for Angular app - Swagger UI with Bearer security definition - Startup: MigrateAsync + DbSeeder.SeedAsync (roles + dev admin) - DbSeeder: added SeedAsync(IServiceProvider) entry point Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Chris Chen