feat: implement unified OIDC authentication and security hardening

[SamyRai]

Summary

This PR implements a unified, production-grade OpenID Connect (OIDC) system for both the Dashboard (BFF) and API (Resource Server), following the OAuth 2.1 / FAPI 2.0 Security Profiles.

Key Features:

• Unified OIDC Authentication: Sequential validation of Session, OIDC Bearer Tokens (JWT), API Keys, and Master Tokens.
• Dashboard (BFF) Security: OIDC Authorization Code flow with PKCE, server-side session encryption, and automatic ID rotation.
• API (Resource Server) Security: JWT validation using a high-performance JWKS engine with background refresh.
• Production Hardening:
  • Multi-tier rate limiting (IP, User, Tenant).
  • Synchronizer-token based CSRF protection.
  • Comprehensive audit logging for all authentication and state-changing events.
  • SSRF protection by disabling redirects in the OIDC client.
• HTMX Support: Custom redirect middleware to convert 302s to HX-Redirect for seamless frontend transitions.
• Full Test Coverage: Expanded the E2E suite with 22 new security-focused tests, achieving 100% pass rate.
• Hygiene: Cleaned up all linter warnings and migrated remaining benchmarks to the project-standard time crate.

Test Plan

• cargo test --workspace passes (337 tests).
• cargo clippy --all-targets --all-features -- -D warnings passes.
• Manual verification of OIDC login flow with mock server.
• Verification of rate limiting (429) and CSRF protection headers.

Related Issues

Part of the security hardening phase.