[P0-2][CRITICAL] Implement JWT refresh token with rotation

[cct08311github]

TokenService.cs returns RefreshToken = "". No refresh mechanism.

Fix

• Add RefreshTokenEntity, implement rotation with reuse detection
• Expand ITokenService with RefreshTokenAsync, RevokeTokenAsync
• Add API endpoints: POST /api/_account/refreshtoken, POST /api/_account/revoketoken
• Apply DbSet to all demo DataContexts
• DB migration: CREATE TABLE FrameworkRefreshTokens

Risk: Low (additive) | Effort: 2-3 days

[cct08311github]

Implemented:

• cdea2d1f: RefreshTokenEntity, ITokenService with rotation + reuse detection, token family/revoke tree
• b96efe25: DbSet added to DataContext
• 6ba96b99: /api/_account/refreshtoken and /api/_account/revoketoken endpoints
• 4a506734: [AllowAnonymous] added to revoketoken

CI: ✅ passing