[AZ-531] [AZ-532] Refresh-token rotation + ES256 signing with JWKS

AZ-531 — /login now returns access (15 min) + opaque refresh; rotation
on /token/refresh; reuse of a rotated refresh kills the entire session
family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new
sessions table with serializable-tx rotation.

AZ-532 — switched access-token signing from HS256 shared-secret to ES256
file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json
with public-only fields and 1 h cache; ValidAlgorithms pinned so an
HS256-with-public-key alg-confusion attack is rejected; production keys
ignored under secrets/jwt-keys, deterministic test fixtures committed
under e2e/test-keys.

Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests).
Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated
for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with
ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env
to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux
budget unchanged, see batch_02_cycle2_review.md F1).

Co-authored-by: Cursor <cursoragent@cursor.com>

Azaion.Common/BusinessException.cs

@@ -56,6 +56,9 @@ public enum ExceptionEnum
     [Description("Too many login attempts. Try again later.")]
     LoginRateLimited = 51,
 
+    [Description("Refresh token is invalid, expired, or has been revoked.")]
+    InvalidRefreshToken = 52,
+
     [Description("No file provided.")]
     NoFileProvided = 60,
 }

Azaion.Common/Configs/JwtConfig.cs

@@ -2,8 +2,41 @@ namespace Azaion.Common.Configs;
 
 public class JwtConfig
 {
-    public string Issuer { get; set; } = null!;
+    public string Issuer   { get; set; } = null!;
     public string Audience { get; set; } = null!;
-    public string Secret { get; set; } = null!;
-    public double TokenLifetimeHours { get; set; }
-}
+
+    /// <summary>
+    /// AZ-532 — directory containing ES256 private keys (PEM, *.pem). The kid is
+    /// the filename without extension. Production: <c>secrets/jwt-keys</c>.
+    /// </summary>
+    public string KeysFolder { get; set; } = "secrets/jwt-keys";
+
+    /// <summary>
+    /// AZ-532 — kid of the key currently used to SIGN new tokens. Other keys in
+    /// <see cref="KeysFolder"/> remain in JWKS for the rotation overlap window so
+    /// in-flight tokens still verify.
+    /// </summary>
+    public string? ActiveKid { get; set; }
+
+    /// <summary>
+    /// AZ-531 — access-token TTL in minutes (default 15). Refresh-token TTLs live
+    /// on <see cref="SessionConfig"/>.
+    /// </summary>
+    public int AccessTokenLifetimeMinutes { get; set; } = 15;
+}
+
+public class SessionConfig
+{
+    /// <summary>
+    /// AZ-531 — sliding window. Each refresh extends expires_at by this many
+    /// hours from "now"; family-level absolute cap below.
+    /// </summary>
+    public int RefreshSlidingHours { get; set; } = 8;
+
+    /// <summary>
+    /// AZ-531 — absolute cap. A session family older than this many hours since
+    /// the family's first issue is rejected even if every individual rotation
+    /// stayed within the sliding window.
+    /// </summary>
+    public int RefreshAbsoluteHours { get; set; } = 12;
+}

Azaion.Common/Database/AzaionDb.cs

@@ -9,4 +9,5 @@ public class AzaionDb(DataOptions dataOptions) : DataConnection(dataOptions)
     public ITable<User>            Users             => this.GetTable<User>();
     public ITable<DetectionClass>  DetectionClasses  => this.GetTable<DetectionClass>();
     public ITable<AuditEvent>      AuditEvents       => this.GetTable<AuditEvent>();
+    public ITable<Session>         Sessions          => this.GetTable<Session>();
 }

Azaion.Common/Database/AzaionDbShemaHolder.cs

@@ -48,6 +48,12 @@ public static class AzaionDbSchemaHolder
                 .IsPrimaryKey()
                 .IsIdentity();
 
+        builder.Entity<Session>()
+            .HasTableName("sessions")
+            .Property(x => x.Id)
+                .IsPrimaryKey()
+                .HasDataType(DataType.Guid);
+
         builder.Build();
     }
 }

Azaion.Common/Entities/Session.cs

@@ -0,0 +1,29 @@
+namespace Azaion.Common.Entities;
+
+/// <summary>
+/// AZ-531 — refresh-token session row. One row per issued refresh token. A
+/// "session family" is the chain of rotated sessions that all share the same
+/// <see cref="FamilyId"/>; reuse-detection keys off it.
+/// </summary>
+public class Session
+{
+    public Guid      Id               { get; set; }
+    public Guid      UserId           { get; set; }
+    public string    RefreshHash      { get; set; } = null!;
+    public Guid      FamilyId         { get; set; }
+    public DateTime  IssuedAt         { get; set; }
+    public DateTime  LastUsedAt       { get; set; }
+    public DateTime  ExpiresAt        { get; set; }
+    public DateTime? RevokedAt        { get; set; }
+    public string?   RevokedReason    { get; set; }
+    public Guid?     ParentSessionId  { get; set; }
+    public DateTime  FamilyStartedAt  { get; set; }
+}
+
+public static class SessionRevokedReasons
+{
+    public const string Rotated         = "rotated";
+    public const string ReuseDetected   = "reuse_detected";
+    public const string LoggedOut       = "logged_out";
+    public const string FamilyRevoked   = "family_revoked";
+}

Azaion.Common/Requests/LoginResponse.cs

@@ -0,0 +1,21 @@
+namespace Azaion.Common.Requests;
+
+/// <summary>
+/// AZ-531 — dual-token login response. <see cref="Token"/> is kept for
+/// backwards compatibility with pre-AZ-531 clients (UI ignores extra fields);
+/// it carries the same value as <see cref="AccessToken"/>.
+/// </summary>
+public class LoginResponse
+{
+    public string   AccessToken  { get; set; } = null!;
+    public DateTime AccessExp    { get; set; }
+    public string   RefreshToken { get; set; } = null!;
+    public DateTime RefreshExp   { get; set; }
+
+    public string Token => AccessToken;
+}
+
+public class RefreshTokenRequest
+{
+    public string RefreshToken { get; set; } = null!;
+}