feat(audit): security events en Auth + authorization handlers (UDT-010 B9)

Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC:

LoginCommandHandler:
- login success → action=login result=success actorUserId=user.Id
- login failure disaggregated internally (client still sees 401 unified):
  user_not_found / user_inactive / invalid_password
  — attempts captured with attemptedUsername + FailureReason

LogoutCommandHandler:
- action=logout result=success actorUserId=cmd.UsuarioId

RefreshCommandHandler:
- refresh.issue success on successful rotation
- refresh.reuse_detected failure when revoked token is presented (chain
  revoke already happens; we add the security event with metadata.familyId)
- refresh.issue failure for: token_expired / sub_mismatch / user_not_found /
  user_inactive

PermissionAuthorizationHandler:
- permission.denied failure on require-permission rejection, with metadata
  { permissionRequired, endpoint, method }. ActorUserId from JWT sub.

DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure).

Test updates: 4 test classes now inject ISecurityEventLogger mock:
- LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests
- PermissionAuthorizationHandlerTests (Api.Tests)

Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing.

Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC,
design, tasks#B9}

src/api/SIGCM2.Api/Authorization/PermissionAuthorizationHandler.cs

@@ -2,6 +2,7 @@ using System.IdentityModel.Tokens.Jwt;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 
 namespace SIGCM2.Api.Authorization;
@@ -12,21 +13,25 @@ namespace SIGCM2.Api.Authorization;
 /// and IUsuarioRepository, resolves effective permissions via PermisoResolver,
 /// and succeeds if at least one required permission matches (OR semantics).
 /// No caching — always authoritative from DB (UDT-006 D1, UDT-009 D3).
+/// UDT-010: emits SecurityEvent 'permission.denied' on rejection.
 /// </summary>
 public sealed class PermissionAuthorizationHandler
     : AuthorizationHandler<RequirePermissionAttribute>
 {
     private readonly IRolPermisoRepository _rolPermisoRepo;
     private readonly IUsuarioRepository _usuarioRepo;
+    private readonly ISecurityEventLogger _security;
     private readonly ILogger<PermissionAuthorizationHandler> _logger;
 
     public PermissionAuthorizationHandler(
         IRolPermisoRepository rolPermisoRepo,
         IUsuarioRepository usuarioRepo,
+        ISecurityEventLogger security,
         ILogger<PermissionAuthorizationHandler> logger)
     {
         _rolPermisoRepo = rolPermisoRepo;
         _usuarioRepo = usuarioRepo;
+        _security = security;
         _logger = logger;
     }
 
@@ -83,8 +88,17 @@ public sealed class PermissionAuthorizationHandler
         }
 
         // 8. Stash required permission for ForbiddenProblemDetailsHandler
+        var requiredPermission = requirement.PermissionCodes[0];
         if (context.Resource is HttpContext httpContext)
-            httpContext.Items["RequiredPermission"] = requirement.PermissionCodes[0];
+            httpContext.Items["RequiredPermission"] = requiredPermission;
+
+        // 9. Emit SecurityEvent for the denial
+        var endpoint = (context.Resource as HttpContext)?.Request?.Path.Value;
+        var method = (context.Resource as HttpContext)?.Request?.Method;
+        await _security.LogAsync("permission.denied", "failure",
+            actorUserId: userId,
+            failureReason: $"missing_permission:{requiredPermission}",
+            metadata: new { permissionRequired = requiredPermission, endpoint, method });
 
         context.Fail(new AuthorizationFailureReason(this,
             $"missing_permission:{string.Join('|', requirement.PermissionCodes)}"));