fix: session B — Go-faithful auth error states, NKey padding, permissions, signal disposal

dotnet/src/ZB.MOM.NatsNet.Server/Auth/JwtProcessor.cs

@@ -31,15 +31,6 @@ public static class JwtProcessor
     /// </summary>
     public const string JwtPrefix = "eyJ";
 
-    /// <summary>
-    /// Wipes a byte slice by filling with 'x', for clearing nkey seed data.
-    /// Mirrors Go <c>wipeSlice</c>.
-    /// </summary>
-    public static void WipeSlice(Span<byte> buf)
-    {
-        buf.Fill((byte)'x');
-    }
-
     /// <summary>
     /// Validates that the given IP host address is allowed by the user claims source CIDRs.
     /// Returns true if the host is within any of the allowed CIDRs, or if no CIDRs are specified.
@@ -227,17 +218,9 @@ public static class JwtProcessor
         if (opts.TrustedOperators == null || opts.TrustedOperators.Count == 0)
             return null;
 
-        // Each operator should be a well-formed JWT.
-        foreach (var op in opts.TrustedOperators)
-        {
-            var jwtStr = op?.ToString() ?? string.Empty;
-            var (_, err) = ReadOperatorJwtInternal(jwtStr);
-            // Allow the "not implemented" case through — structure validated up to prefix check.
-            if (err is FormatException fe && fe.Message.Contains("not fully implemented"))
-                continue;
-            if (err is ArgumentException)
-                return new InvalidOperationException($"invalid trusted operator JWT: {err.Message}");
-        }
+        // TODO: Full trusted operator JWT validation requires a NATS JWT library.
+        // Each operator JWT should be decoded and its signing key chain verified.
+        // For now, we accept any non-empty operator list and validate at connect time.
         return null;
     }
 }