Migrate to gateway-centric auth (remove per-service JWT validation)

[DenizAltunkapan]

Right now every backend validates JWTs on its own. JwtUtil, SecurityConfig and JwtAuthFilter are copy-pasted across vault-web, cloud-page and password-manager. That means a security fix has to be made in three places, and the JJWT versions have already drifted apart.

The plan is for the gateway to own auth, so the downstream services shouldn't be doing JWT validation at all. This issue tracks that migration.

Scope

• Route downstream traffic through the gateway so vault-web/cloud-page/password-manager are no longer reachable directly (:8080/:8090/:8091).
• Once the gateway validates centrally, remove the JWT validation from the services (SecurityConfig / JwtUtil / JwtAuthFilter). Services should consume a forwarded identity instead.
• Secure the trust boundary: a service must be able to trust the forwarded identity without anyone with direct network access being able to spoof it (signed header / mTLS / network isolation). This is the critical part — without it, gateway-centric auth is less safe than what we have now.

Depends on

Builds on the gateway auth work: #5, #7, #13.

Notes

• This removes code rather than sharing it, so a shared "common" library is intentionally not the goal.
• Once done, JJWT is only needed in the gateway, which also resolves the version drift across services.