Login already issues a short-lived access token and a long-lived refresh token. This PR adds POST /auth/refresh: it accepts a refresh token, validates it, and issues a new access token. Review for token security, rotation hygiene, and correct use of JWT.