feat(platform-service): auth/refresh returns both accessToken + refreshToken

- Refresh endpoint now rotates refresh token and returns both tokens
- Keeps existing refresh token validation semantics
- Verified: tsc --noEmit clean, 19 test files / 178 tests passing

services/platform-service/src/modules/auth/routes.ts

@@ -125,7 +125,11 @@ export async function authRoutes(app: FastifyInstance) {
         productId: user.productId,
         plan: user.plan,
       });
-      return { accessToken };
+      const refreshToken = await jwt.createRefreshToken({
+        sub: user.id,
+        productId: user.productId,
+      });
+      return { accessToken, refreshToken };
     } catch {
       throw new UnauthorizedError('Invalid or expired refresh token');
     }