gate replacement link behind feature flag, improve CardSelection empty states, add explicit signing key validation

Author: Nick Campanini

src/SEBT.Portal.Api/Controllers/Auth/OidcController.cs

@@ -118,6 +118,7 @@ public async Task<IActionResult> CompleteLogin(
         var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(signingKey));
         var validationParams = new TokenValidationParameters
         {
+            ValidateIssuerSigningKey = true,
             ValidateIssuer = false,
             ValidateAudience = false,
             ValidateLifetime = true,

src/SEBT.Portal.Web/src/features/cards/components/CardSelection/CardSelection.tsx

@@ -60,9 +60,15 @@ export function CardSelection() {
   const groups = buildApplicationGroups(data.applications)
 
   if (groups.length === 0) {
+    const hasApplications = data.applications.length > 0
     return (
       <Alert variant="info">
-        {t('cardSelectionNoChildren', 'No children found in your household.')}
+        {hasApplications
+          ? t(
+              'cardSelectionAllInCooldown',
+              'All cards were recently replaced. Please try again later.'
+            )
+          : t('cardSelectionNoChildren', 'No children found in your household.')}
       </Alert>
     )
   }

src/SEBT.Portal.Web/src/features/household/components/ChildCard/ChildCard.tsx

@@ -57,6 +57,7 @@ const CARD_TYPE_KEYS: Partial<Record<IssuanceType, string>> = {
 // Keys map to CSV: "S2 - Portal Dashboard - Card Table - {Key}"
 export function ChildCard({ child, application, id, defaultExpanded = true }: ChildCardProps) {
   const { t, i18n } = useTranslation('dashboard')
+  const enableCardReplacement = useFeatureFlag('enable_card_replacement')
   const showCaseNumber = useFeatureFlag('show_case_number')
   const showCardLast4 = useFeatureFlag('show_card_last4')
   const [isExpanded, setIsExpanded] = useState(defaultExpanded)
@@ -65,7 +66,7 @@ export function ChildCard({ child, application, id, defaultExpanded = true }: Ch
   const { caseNumber, benefitIssueDate, benefitExpirationDate, last4DigitsOfCard, issuanceType } =
     application
   const cardTypeKey = issuanceType ? (CARD_TYPE_KEYS[issuanceType] ?? null) : null
-  const replacementLink = getReplacementLink(application)
+  const replacementLink = enableCardReplacement ? getReplacementLink(application) : null
 
   return (
     <div className="usa-accordion__item">

src/SEBT.Portal.Web/src/features/household/components/DashboardAlerts/DashboardAlerts.tsx

@@ -11,8 +11,8 @@ import { useHouseholdData } from '@/features/household'
  * Displays success and warning alerts on the dashboard triggered by URL search params.
  * Captures alert state on first read, then cleans the params from the URL.
  * The alert persists because rendering is driven by captured state, not live params.
- * Card replacement success (flash=card_replaced) sources dynamic details from the
- * household data cache rather than URL params to avoid PII in URLs.
+ * Card replacement success (flash=card_replaced) checks the household data cache
+ * for address presence to tailor the alert body, avoiding PII in URL params.
  */
 export function DashboardAlerts() {
   const { t } = useTranslation('dashboard')