Update .NET AAuth research plan to leverage existing libraries

[Copilot]

✨ Enhancement

The research plan assumed RFC 9421, RFC 8941, RFC 8785, JWK thumbprints, JWKS hosting and Ed25519 JWT support would be hand-rolled in .NET. Several mature libraries now cover these — the plan should point at them and reserve custom code for AAuth-specific protocol surface.

What does this improve?

.agent/plans/2026-05-13-dotnet-aauth-sdk/research.md now names concrete .NET packages for every standard protocol component and narrows bespoke work to AAuth-specific logic (Signature-Key schemes, AAuth-* header semantics, challenge orchestration, mission/R3).

Why is this valuable?

Removes the "biggest implementation effort" framing around RFC 9421, de-risks Ed25519 JWT signing, and makes it clear what the project actually has to own vs. consume.

Implementation approach:

• §3.2, §4.1, §6, §9 Phase 1, §12 — RFC 9421 work now rides on NSign (.Client, .AspNetCore, .BouncyCastle for Ed25519). §6 keeps the conceptual signature-base description as a spec reference behind an "Update (2026-05)" banner.
• §4.1 — JWK thumbprints use Microsoft.IdentityModel.Tokens.JsonWebKey.ComputeJwkThumbprint() (RFC 7638); JWTs use JsonWebTokenHandler. Ed25519 JWT signing uses ScottBrady.IdentityModel.EdDsa (provider for Microsoft.IdentityModel) or jose-jwt (standalone) — Microsoft.IdentityModel still ships no built-in EdDSA provider.
• §4.1, §4.2, §4.3 — Signature-Key and AAuth-* headers parsed via StructuredFieldValues (RFC 8941). AAuthSigningHandler layered on NSign.Client; AAuthMiddleware layered on NSign.AspNetCore. JWKS hosting/rotation via NetDevPack.Security.Jwt.AspNetCore or Jwks.Manager.
• §4.5 — CLI specified as System.CommandLine.
• §5.1 / §5.2 — RFC 8785 canonicalization via JsonCanonicalizer (author's port) with Stratumn.CanonicalJson as alternative. NSec.Cryptography called out as recommended Ed25519 fallback; Portable.BouncyCastle as secondary. The .NET 10/.NET 8 compatibility table was split into raw-crypto / JWT / RFC-9421 rows to make explicit that Ed25519-in-JWT and Ed25519-in-RFC-9421 require external NuGets on both runtimes.
• §7.2 / §7.3 — Integration diagrams updated to show NSign underneath the AAuth handler/middleware.
• §10 — Dependency table expanded with NSign family, StructuredFieldValues, JsonCanonicalizer, ScottBrady.IdentityModel.EdDsa/jose-jwt, NetDevPack.Security.Jwt.AspNetCore/Jwks.Manager, System.CommandLine, WireMock.Net, ModelContextProtocol(.AspNetCore), Portable.BouncyCastle.
• §11 — WireMock.Net added alongside WebApplicationFactory<T> for AP/PS/Resource/AS simulation in integration tests.
• §12 — Gaps 1–5 rewritten as resolved/de-risked with library citations and alternatives; MCP SDK packages named explicitly; samples-vs-SDK note revised to reflect the shrunken bespoke surface.