feat: keycloak jwt hardening (roles + audience + profiles)

[egorkuzn]

What changed:

• Added Keycloak role mapping from realm_access.roles and resource_access client roles into Spring ROLE authorities.
• Kept default scope mapping for SCOPE authorities.
• Added configurable JWT audience validation.
• Enabled method security to keep handler-level role access model.
• Split config into local/dev/prod profile files with env-driven settings.
• Stabilized JwtDecoder initialization for CI/tests without requiring a live Keycloak during context bootstrap.

Issues:

• Closes [Config] Split Keycloak config by local/dev/prod profiles #1
• Closes [Security] Validate JWT audience (aud) in resource server #2
• Closes [Security] Map Keycloak realm/resource roles into Spring authorities #3
• Closes [CI] Stabilize context startup in tests without live Keycloak #5

Notes:

• Handler-level access control remains the source of truth.
• Local profile has defaults for quick startup.
• Dev/prod profiles require KC_ISSUER_URI, KC_CLIENT_ID, KC_EXPECTED_AUDIENCES.
• Verified with dockerized Maven run: mvn test => BUILD SUCCESS.

[egorkuzn]

I checked this repository for OpenAPI/Swagger annotations and spec files before applying security changes. There are no swagger/openapi descriptors in the current codebase.

To keep the existing access model safe, this PR keeps authorization at handler level via method security and does not add path-based role rules.