[AZ-535] [AZ-533] Logout/revocation surface + UAV mission tokens

AZ-535: POST /logout (caller's session), /logout/all (all sessions for user),
admin POST /sessions/{sid}/revoke, and verifier-only GET /sessions/revoked
snapshot. New Service role gates the snapshot. Idempotent revoke; reason +
revoked_by_user_id audited per row.

AZ-533: POST /sessions/mission mints a long-lived no-refresh ES256 token bound
to one aircraft + one mission. Audience narrowed to satellite-provider, hard
12 h cap, persisted as class='mission' so the existing logout/revoke surface
covers it. Successful CompanionPC /login or /token/refresh auto-revokes that
aircraft's open mission session (post-flight reconnect).

Schema: 09_sessions_logout_and_mission.sql adds revoked_by_user_id, class,
aircraft_id; drops NOT NULL on refresh_hash for mission rows; adds two partial
indexes for the auto-revoke and snapshot hot paths.

Tests: 13 new e2e tests, all green; full suite 75/76 (1 pre-existing flake in
PasswordHashingTests AC5 timing assertion, unrelated to this batch).

Co-authored-by: Cursor <cursoragent@cursor.com>

Azaion.Common/BusinessException.cs

@@ -59,6 +59,15 @@ public enum ExceptionEnum
     [Description("Refresh token is invalid, expired, or has been revoked.")]
     InvalidRefreshToken = 52,
 
+    [Description("Session not found.")]
+    SessionNotFound = 53,
+
+    [Description("Mission token request is invalid.")]
+    InvalidMissionRequest = 54,
+
+    [Description("Aircraft not found or wrong role.")]
+    AircraftNotFound = 55,
+
     [Description("No file provided.")]
     NoFileProvided = 60,
 }