🧪 test: add JWT secret rotation BDD scenarios and step implementations (#12)

✨ merge: implement JWT secret rotation with BDD scenario isolation

- Implement JWT secret rotation mechanism (closes #8)
- Add per-scenario state isolation for BDD tests (closes #14)
- Validate password reset workflow via BDD tests (closes #7)
- Fix port conflicts in test validation
- Add state tracer for debugging test execution
- Document BDD isolation strategies in ADR 0025
- Fix PostgreSQL configuration environment variables

Generated by Mistral Vibe.
Co-Authored-By: Mistral Vibe <vibe@mistral.ai>
Co-authored-by: Gabriel Radureau <arcodange@gmail.com>
Co-committed-by: Gabriel Radureau <arcodange@gmail.com>

pkg/server/server.go

@@ -72,6 +72,12 @@ func NewServer(cfg *config.Config, readyCtx context.Context) *Server {
 	return s
 }
 
+// GetAuthService returns the auth service for test cleanup
+// This allows test suites to reset JWT secrets between tests
+func (s *Server) GetAuthService() user.AuthService {
+	return s.userService
+}
+
 // initializeUserServices initializes the user repository and unified user service
 func initializeUserServices(cfg *config.Config) (user.UserRepository, user.UserService, error) {
 	// Create user repository using PostgreSQL
@@ -166,6 +172,12 @@ func (s *Server) registerApiV1Routes(r chi.Router) {
 			r.Route("/auth", func(r chi.Router) {
 				handler.RegisterRoutes(r)
 			})
+
+			// Register admin routes
+			adminHandler := userapi.NewAdminHandler(s.userService)
+			r.Route("/admin", func(r chi.Router) {
+				adminHandler.RegisterRoutes(r)
+			})
 		}
 	}
 }