fix: return rotated refresh token from agent token refresh endpoint

Previously the refresh endpoint only returned a new accessToken, causing
agents to lose their refreshToken after the first refresh cycle and
forcing a full re-registration every ~2 hours.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cameleer3-server-app/src/main/java/com/cameleer3/server/app/controller/AgentRegistrationController.java

@@ -159,8 +159,9 @@ public class AgentRegistrationController {
         List<String> roles = result.roles().isEmpty()
                 ? List.of("AGENT") : result.roles();
         String newAccessToken = jwtService.createAccessToken(agentId, agent.group(), roles);
+        String newRefreshToken = jwtService.createRefreshToken(agentId, agent.group(), roles);
 
-        return ResponseEntity.ok(new AgentRefreshResponse(newAccessToken));
+        return ResponseEntity.ok(new AgentRefreshResponse(newAccessToken, newRefreshToken));
     }
 
     @PostMapping("/{id}/heartbeat")

cameleer3-server-app/src/main/java/com/cameleer3/server/app/dto/AgentRefreshResponse.java

@@ -3,5 +3,5 @@ package com.cameleer3.server.app.dto;
 import io.swagger.v3.oas.annotations.media.Schema;
 import jakarta.validation.constraints.NotNull;
 
-@Schema(description = "Refreshed access token")
-public record AgentRefreshResponse(@NotNull String accessToken) {}
+@Schema(description = "Refreshed access and refresh tokens")
+public record AgentRefreshResponse(@NotNull String accessToken, @NotNull String refreshToken) {}

cameleer3-server-app/src/test/java/com/cameleer3/server/app/security/JwtRefreshIT.java

@@ -79,6 +79,8 @@ class JwtRefreshIT extends AbstractPostgresIT {
 
         JsonNode body = objectMapper.readTree(response.getBody());
         assertThat(body.get("accessToken").asText()).isNotEmpty();
+        assertThat(body.get("refreshToken").asText()).isNotEmpty();
+        assertThat(body.get("refreshToken").asText()).isNotEqualTo(refreshToken);
     }
 
     @Test