[AZ-535] [AZ-533] Logout/revocation surface + UAV mission tokens

AZ-535: POST /logout (caller's session), /logout/all (all sessions for user),
admin POST /sessions/{sid}/revoke, and verifier-only GET /sessions/revoked
snapshot. New Service role gates the snapshot. Idempotent revoke; reason +
revoked_by_user_id audited per row.

AZ-533: POST /sessions/mission mints a long-lived no-refresh ES256 token bound
to one aircraft + one mission. Audience narrowed to satellite-provider, hard
12 h cap, persisted as class='mission' so the existing logout/revoke surface
covers it. Successful CompanionPC /login or /token/refresh auto-revokes that
aircraft's open mission session (post-flight reconnect).

Schema: 09_sessions_logout_and_mission.sql adds revoked_by_user_id, class,
aircraft_id; drops NOT NULL on refresh_hash for mission rows; adds two partial
indexes for the auto-revoke and snapshot hot paths.

Tests: 13 new e2e tests, all green; full suite 75/76 (1 pre-existing flake in
PasswordHashingTests AC5 timing assertion, unrelated to this batch).

Co-authored-by: Cursor <cursoragent@cursor.com>

Azaion.Common/Entities/RoleEnum.cs

@@ -8,5 +8,10 @@ public enum RoleEnum
     CompanionPC = 30,
     Admin = 40, //
     ResourceUploader = 50, //Uploading dll and ai models
+    // AZ-535 — service-to-service identity (one per verifier: satellite-provider,
+    // gps-denied, ui). Only authorized to read /sessions/revoked snapshot; not
+    // valid for any user-facing endpoint. Each verifier deployment gets one
+    // dedicated Service user.
+    Service = 60,
     ApiAdmin = 1000 //everything
 }