[codex] fix(cmms): accept signed Hub SSO handoff

[Mikecranesync]

Summary

• Adds POST /auth/sso/hub to Atlas CMMS so FactoryLM Hub can exchange a short-lived signed assertion for an Atlas JWT.
• Validates issuer, audience, signature, and existing enabled Atlas user before minting a token; no silent user, company, or role auto-provisioning.
• Updates the Atlas OAuth success screen so Hub can hand off an Atlas token and land users on safe /app/... Works routes.
• Documents and wires HUB_SSO_SECRET, HUB_SSO_ISSUER, and HUB_SSO_AUDIENCE through CMMS config/docker-compose.

Fixes #189.

Validation

• git diff --cached --check before commit: passed.
• git diff --check: passed before staging.
• JJWT 0.9.1 local source jar confirms requireIssuer, requireAudience, setSigningKey, and parseClaimsJws parser methods exist.
• Symbol grounding confirmed the endpoint uses existing UserRepository.findByEmailIgnoreCase and JwtTokenProvider.createToken paths.

Not run

• Atlas Java test execution: blocked on this CHARLIE node because apps/cmms/api only has mvnw.cmd, mvn is not installed, and /usr/bin/java reports no Java runtime.
• Atlas frontend eslint: blocked because apps/cmms/frontend/node_modules is not installed in this worktree.

Deploy notes

• Set the same strong HUB_SSO_SECRET in Hub and Atlas CMMS API.
• Keep the default issuer/audience unless explicitly overriding both services: factorylm-hub / atlas-cmms.
• Existing Atlas users must already be provisioned and enabled with the Hub email address.