Adds V2 JWT claim schema that closes the kicked-out window and enables
refresh-token rotation with reuse detection.
Server
- jwt_utils.create_token_pair now takes ``session_id`` and ``remember_me``
kwargs. When ``session_id`` is provided, both tokens carry a ``sid``
claim and the access token also carries a ``jti`` claim; the refresh
token's jti is intentionally absent (rotation uses the token hash).
- New ``REFRESH_TOKEN_TTL_REMEMBER_ME = 30d`` (default 7d) selected by
the ``remember_me`` flag.
- ``verify_token`` now supports an optional ``expected_type`` filter
(e.g. ``"access"`` / ``"refresh"``); when omitted, both types pass
(used by /auth/whoami's cold-start path).
- New ``auth.denylist`` module: ``InMemoryRecentlyRevoked`` (default for
the Tauri sidecar / dev mode) and ``RedisRecentlyRevoked`` (multi-
process server). Bounded LRU with auto-expiry via ``time.monotonic()``.
Backwards-compat
- Tokens issued before U2 (no ``sid``) are still accepted by
``verify_token``; validation falls through to the legacy
``user_sessions`` table via the U10 shim (next commit).
Tests
- tests/unit/auth/test_jwt_utils.py: 12 cases — V1/V2 claim presence,
default + remember-me TTL, expected_type filter, expiry, wrong secret.
- tests/unit/auth/test_denylist.py: 6 cases — add/contains, TTL expiry,
LRU eviction, re-add refresh, clear, hash stability.
Refs: U2 in docs/plans/2026-06-20-002-feat-centralized-auth-token-persistence-plan.md