JWT signing secret is shared between server and trustauth

Both services derive their JWT secret from the same source and use only the `iss` claim to distinguish tokens. A token issued by the server is structurally verifiable on trustauth and vice versa.

**Fix:** Generate separate secrets per service.