…it doc-drift) (#103)

Closes the documentation half of the v0.2.0 portal audit. Tur 1 (#101)
was the security fix, Tur 2 (#102) was the test coverage; this PR is
the doc drift the same audit surfaced.

docs/API.md §3.8 — Portal API (Customer-Facing JWT):
- HS256 JWT contract: algorithm pin, signing key per-app, lifetime
  cap, clock skew, token size cap, required + optional claims.
- Capability table: endpoints:read|write|test, attempts:read.
- Per-app CORS rules: no wildcards, https-only, RFC 6454 case-
  insensitive matching, preflight semantics.
- Rate limit: shares send-by-appid partition; cross-tenant lookups
  return 404 (never 403, which would leak existence).
- All 10 portal routes documented with request/response shape.
- 5 dashboard portal-admin routes documented.
- Portal-specific error code table.
- End-to-end probe with jose (Node.js mint) + cURL.

docs/ARCHITECTURE.md §4.3 — Portal Token Authentication:
- Per-application secrets stored on Application (PortalSigningKey,
  AllowedPortalOriginsJson, PortalRotatedAt).
- Pipeline ordering with the three invariants it encodes (ApiKeyAuth
  bypass, PortalToken-before-PortalCors, both-before-RateLimiter).
- PortalLookupCache: TTL, instant local invalidation, atomic CTS swap.
- Cross-tenant isolation via 2-arg GetByIdAsync.
- JWT validator defense-in-depth (HS256 pin, 8 KiB token cap,
  MapInboundClaims=false, lifetime cap, opaque error bodies).

…alidator merge, PUT→PATCH, disable preserves origins) (#104)

Closes the four P1 behaviour findings from the v0.2.0 portal audit. Tur 1
(#101) shipped the P0 security fixes, Tur 2 (#102) shipped the test
coverage, Tur 3 (#103) shipped the docs; this Tur 4 closes the behaviour
delta.

1. PortalCorsMiddleware deny-cache.
   HandlePreflightAsync now caches both allow and deny outcomes via
   IMemoryCache for the same TTL as the per-app signing-key lookup
   (default 60s). Browsers don't cache rejected preflights, so every
   OPTIONS from a disallowed origin used to re-scan the portal-enabled
   app set + deserialize the JSON allowlist — a free DB hammer vector
   for any caller that knew the portal prefix. Cache key is
   lowercased-origin scoped (RFC 6454 §4 case-insensitive). New test
   Preflight_Deny_Decision_Is_Cached_Within_Ttl pins the behaviour by
   mutating the DB to allow the origin after a 403 and asserting the
   second call still 403s within the TTL window.

2. EndpointValidationRules helper consolidation.
   New extension methods (EndpointUrlSyntax, EndpointDescription,
   EndpointTransformExpression, EndpointCustomHeaders,
   EndpointAllowedIpsCidrs, EndpointSecretOverride) become the single
   source of truth for the field-shape rules shared between the 4
   admin endpoint validators and the 2 portal endpoint validators.
   Without this consolidation, tightening a rule on one surface
   silently leaves the other surface weaker — exactly the drift
   pattern the audit flagged. Async DNS host-safety check stays in
   each validator (DependentRules + CustomAsync needs the full
   property selector). Behaviour unchanged.

3. PortalEndpointsController.Update → [HttpPatch].
   The action's body semantics were always partial-replace (every
   field optional, only non-null fields applied) — that's PATCH, not
   PUT. Switching the verb aligns the wire surface with reality and
   stops misleading REST consumers that expect PUT to be full-replace.
   Route, request shape, response shape unchanged. Two existing tests
   ported from PutAsJsonAsync to PatchAsync + JsonContent.Create.

4. DashboardPortalController.Disable preserves origins.
   Removed the line that nulled AllowedPortalOriginsJson on disable.
   Disable now revokes only the auth surface (PortalSigningKey,
   PortalRotatedAt) and keeps the operator-curated CORS allowlist so
   re-enable doesn't force re-curation. Explicit clear path remains:
   PUT /portal/origins with {origins: []}. Renamed test
   Disable_Clears_SigningKey_And_Origins → Disable_Clears_SigningKey_But_Preserves_Origins
   with assertion flip.

…e TTL) (#105)

Locks in two v0.2.0 audit decisions that were marked 'worth recording'
in the reviewer agent's punch list. Both are pure documentation —
behaviour was already shipped in PRs #101 and #104.

ADR-004 — Portal Signing Key Storage:
- Plaintext varchar(64) at rest, mirroring the existing SigningSecret
  column. No application-level encryption; relies on operator's
  Postgres deployment posture.
- Instant invalidation on rotate / disable. No grace window for
  overlapping old + new key validity.
- One-shot reveal on enable / rotate; subsequent reads return only
  portalEnabled bool + rotated-at + origins (never the key).
- Documents alternatives (pgcrypto, rotation grace, external KMS)
  and revisit triggers (compliance regimes, host-integration
  friction, key reuse beyond JWT verification).

ADR-005 — Portal CORS Preflight Deny-Cache TTL:
- 60s default (LookupCacheTtlSeconds reuse); cache both allow and
  deny outcomes; key is lowercased-origin scoped.
- No synchronous invalidation hook from PUT /portal/origins:
  cache key is origin-scoped, operator action is app-scoped —
  bookkeeping cost outweighs the <=60s staleness.
- Documents alternatives (per-app invalidation, shorter/longer TTL,
  negative-only cache) and revisit triggers (operator UX complaints,
  memory pressure via origin enumeration).