Register two merchant accounts and verify complete session isolation between them. - Capture a JWT token, decode it, identify the signing algorithm, and check whether the secret is weak enough to crack offline. - Attempt to use a merchant's API key to access the merchant dashboard endpoints intended