Refresh Token

Refresh the access token using the refresh cookie. Rotates the refresh token.

Implements refresh-token reuse detection (SEC-20260420-006). Each session row carries used_at (set on rotation) and replaced_by_id (forward chain link). If a client presents a token whose row has used_at set, the token is being replayed — either by an attacker who stole the cookie before the legitimate client rotated it, or by a buggy client retrying the same token. Either way we burn the entire rotation family so a stolen cookie is worth at most one rotation cycle and the theft is loud.