feat(security): remover claim permisos del JWT post-UDT-009 [UDT-009]

src/api/SIGCM2.Infrastructure/Security/JwtService.cs

@@ -1,6 +1,5 @@
 using System.Security.Claims;
 using System.Security.Cryptography;
-using System.Text.Json;
 using Microsoft.IdentityModel.Tokens;
 using System.IdentityModel.Tokens.Jwt;
 using SIGCM2.Application.Abstractions.Security;
@@ -44,13 +43,17 @@ public sealed class JwtService : IJwtService
         return principal;
     }
 
+    /// <summary>
+    /// UDT-009: Generates an access token with minimal claims.
+    /// Claim 'permisos' has been removed — authorization handler resolves permissions
+    /// from DB per-request using IUsuarioRepository + PermisoResolver.
+    /// Token claims: sub, jti, name, rol (+ standard iat/exp/nbf).
+    /// </summary>
     public string GenerateAccessToken(Usuario usuario)
     {
         var signingKey = new RsaSecurityKey(_rsa);
         var credentials = new SigningCredentials(signingKey, SecurityAlgorithms.RsaSha256);
 
-        var permisos = DeserializePermisos(usuario.PermisosJson);
-
         var claims = new List<Claim>
         {
             new(JwtRegisteredClaimNames.Sub, usuario.Id.ToString()),
@@ -59,10 +62,6 @@ public sealed class JwtService : IJwtService
             new("rol", usuario.Rol),
         };
 
-        // Add each permission as a separate claim
-        foreach (var permiso in permisos)
-            claims.Add(new Claim("permisos", permiso));
-
         var now = DateTime.UtcNow;
         var descriptor = new SecurityTokenDescriptor
         {
@@ -78,16 +77,4 @@ public sealed class JwtService : IJwtService
         var token = handler.CreateToken(descriptor);
         return handler.WriteToken(token);
     }
-
-    private static string[] DeserializePermisos(string permisosJson)
-    {
-        try
-        {
-            return JsonSerializer.Deserialize<string[]>(permisosJson) ?? [];
-        }
-        catch
-        {
-            return [];
-        }
-    }
 }