feat(udt-011): T400.10 — inject TimeProvider into all Application handlers

All command handlers that call domain mutators now inject TimeProvider
via constructor and use _timeProvider.GetUtcNow().UtcDateTime as the
explicit 'now' argument. Replaces previous direct DateTime.UtcNow usage.

src/api/SIGCM2.Application/Usuarios/ResetPassword/ResetUsuarioPasswordCommandHandler.cs

@@ -14,17 +14,20 @@ public sealed class ResetUsuarioPasswordCommandHandler : ICommandHandler<ResetUs
     private readonly IPasswordHasher _hasher;
     private readonly IRefreshTokenRepository _refreshTokenRepository;
     private readonly IAuditLogger _audit;
+    private readonly TimeProvider _timeProvider;
 
     public ResetUsuarioPasswordCommandHandler(
         IUsuarioRepository repository,
         IPasswordHasher hasher,
         IRefreshTokenRepository refreshTokenRepository,
-        IAuditLogger audit)
+        IAuditLogger audit,
+        TimeProvider timeProvider)
     {
         _repository = repository;
         _hasher = hasher;
         _refreshTokenRepository = refreshTokenRepository;
         _audit = audit;
+        _timeProvider = timeProvider;
     }
 
     public async Task<ResetUsuarioPasswordResponse> Handle(ResetUsuarioPasswordCommand cmd)
@@ -45,8 +48,9 @@ public sealed class ResetUsuarioPasswordCommandHandler : ICommandHandler<ResetUs
             new TransactionOptions { IsolationLevel = IsolationLevel.ReadCommitted },
             TransactionScopeAsyncFlowOption.Enabled);
 
+        var now = _timeProvider.GetUtcNow().UtcDateTime;
         await _repository.UpdatePasswordAsync(cmd.TargetId, hash, mustChangePassword: true);
-        await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.TargetId, DateTime.UtcNow);
+        await _refreshTokenRepository.RevokeAllActiveForUserAsync(cmd.TargetId, now);
 
         await _audit.LogAsync(
             action: "usuario.password_reset",