feat: Implement session secret rotation support

Adds support for gradual session secret rotation without forcing logout:

- Add BANGUI_SESSION_SECRET_PREVIOUS config field for rotation window
- Implement unwrap_session_token_with_rotation() to accept tokens signed with
  either current or previous secret
- Update validate_session() to transparently accept old tokens during rotation
- Update logout() to accept tokens from both secrets
- Add comprehensive logging for rotation events and metrics
- Add 8 new tests covering all rotation scenarios
- Update documentation with step-by-step rotation strategy
- Update .env.example with previous secret field

Key features:
- No forced logout: old tokens continue working during rotation window
- Transparent validation: old tokens are automatically logged for monitoring
- Production-safe: can rotate secrets without service interruption
- Metrics-ready: logs track token rotation for observability

Rotation workflow:
1. Generate new secret and set BANGUI_SESSION_SECRET
2. Set BANGUI_SESSION_SECRET_PREVIOUS to old secret
3. Wait for old tokens to expire (≥ session_duration_minutes)
4. Unset BANGUI_SESSION_SECRET_PREVIOUS to complete rotation

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.env.example

@@ -10,6 +10,13 @@
 # Example value: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
 BANGUI_SESSION_SECRET=
 
+# Previous Session Secret (optional)
+# Used during secret rotation to accept tokens signed with the old secret.
+# Set this to the previous secret when rotating secrets, then unset it once
+# all old tokens have expired. This enables gradual rotation without forcing logout.
+# Leave empty unless performing a rotation.
+BANGUI_SESSION_SECRET_PREVIOUS=
+
 # Timezone (optional, defaults to UTC)
 # Use standard timezone names from the IANA Time Zone Database
 # Examples: America/New_York, Europe/London, Asia/Tokyo, UTC