feat(auth): embed auth_time/idle_max/abs_max in refresh tokens at every login

Third commit in the session-expiration-policy series. Every refresh token
issued from now on carries the policy snapshot in its JWT (in seconds,
for direct Unix math), and every login/OAuth response surfaces both
expiry windows as ISO timestamps. /auth/refresh carries the claims
forward unchanged — including auth_time, which never resets on rotation.

Does NOT yet enforce the absolute cap — that's commit 4, sequenced so
the gate can be reverted independently if pilots hit an edge case.
But the wire is fully populated, and a grandfather path is already in
_refresh_session_tokens for tokens issued before this PR.

Key changes:
- core/security.py: create_refresh_token signature changes to
  (user_id, *, auth_time, idle_max_seconds, abs_max_seconds). Adds
  resolve_session_policy(account) -> (idle_minutes, absolute_minutes)
  applying defaults for NULL overrides.
- schemas/token.py + schemas/oauth.py: Token and OAuthCallbackResponse
  gain idle_expires_at + absolute_expires_at (Optional[datetime],
  Pydantic emits ISO 8601 UTC strings).
- endpoints/auth.py: new _mint_session_tokens(user, db) and
  _refresh_session_tokens(payload, user, db) helpers. /auth/login,
  /auth/login/json, and /auth/refresh now route through them. The
  refresh endpoint's pre-existing "Refresh token has been revoked"
  error normalized to the taxonomy detail "invalid_refresh_token".
- endpoints/oauth.py: both Google and Microsoft callbacks call
  _mint_session_tokens; OAuthCallbackResponse carries the expiry
  fields through.
- tests: two new cases in test_session_policy.py — login_json embeds
  the claims with strict defaults (3d/14d -> 259200/1209600 sec) and
  surfaces matching ISO expiry fields; refresh carries auth_time,
  idle_max, abs_max forward unchanged across rotation.

35/35 across test_session_policy + test_auth + test_oauth_callbacks +
test_account_invite_lookup + test_account_management.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/app/core/security.py

@@ -42,14 +42,54 @@ def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -
     return encoded_jwt
 
 
-def create_refresh_token(data: dict) -> str:
-    """Create a JWT refresh token with a unique jti for revocation tracking."""
-    to_encode = data.copy()
-    expire = datetime.now(timezone.utc) + timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS)
+def create_refresh_token(
+    user_id: str,
+    *,
+    auth_time: int,
+    idle_max_seconds: int,
+    abs_max_seconds: int,
+) -> str:
+    """Create a JWT refresh token with session-policy claims embedded.
+
+    The JWT carries five claims beyond the standard `sub`/`type`/`jti`:
+
+    - `auth_time`: Unix-seconds timestamp of the original login; never reset
+      on rotation. Used by `/auth/refresh` to enforce the absolute cap.
+    - `idle_max`: idle window in seconds, snapshotted from the account's
+      policy at login. Carried forward across rotations unchanged.
+    - `abs_max`: absolute lifetime in seconds, snapshotted at login.
+    - `exp`: current idle deadline (`now + idle_max`). Standard JWT expiry.
+
+    See docs/plans/2026-05-13-session-expiration-policy.md §4.2 for the unit
+    convention (everything outside the JWT is minutes; inside the JWT it's
+    seconds so `auth_time + abs_max` is direct Unix math).
+    """
+    now = datetime.now(timezone.utc)
+    expire = now + timedelta(seconds=idle_max_seconds)
     jti = str(uuid.uuid4())
-    to_encode.update({"exp": expire, "type": "refresh", "jti": jti})
-    encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
-    return encoded_jwt
+    to_encode = {
+        "sub": user_id,
+        "type": "refresh",
+        "jti": jti,
+        "exp": expire,
+        "auth_time": auth_time,
+        "idle_max": idle_max_seconds,
+        "abs_max": abs_max_seconds,
+    }
+    return jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+
+
+def resolve_session_policy(account) -> tuple[int, int]:
+    """Return (idle_minutes, absolute_minutes) for an account.
+
+    NULL overrides fall back to the system defaults from Settings. Partial
+    overrides (one column NULL, one set) are intentionally allowed at this
+    layer; the PATCH /accounts/me/security endpoint validates the resolved
+    effective values to enforce idle <= absolute. See plan §4.3.
+    """
+    idle = account.session_idle_minutes or settings.SESSION_IDLE_MINUTES_DEFAULT
+    absolute = account.session_absolute_minutes or settings.SESSION_ABSOLUTE_MINUTES_DEFAULT
+    return idle, absolute
 
 
 def hash_token(jti: str) -> str: