Fix SEC-03: require token proximity for renewal

- Add 50% lifetime elapsed check to REST handleRenew and gRPC RenewToken
- Reject renewal attempts before 50% of token lifetime has elapsed
- Update existing renewal tests to use short-lived tokens with sleep
- Add TestRenewTokenTooEarly tests for both REST and gRPC

Security: Tokens can only be renewed after 50% of their lifetime has
elapsed, preventing indefinite renewal of stolen tokens.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

internal/grpcserver/auth.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"time"
 
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/peer"
@@ -153,6 +154,14 @@ func (a *authServiceServer) Logout(ctx context.Context, _ *mciasv1.LogoutRequest
 func (a *authServiceServer) RenewToken(ctx context.Context, _ *mciasv1.RenewTokenRequest) (*mciasv1.RenewTokenResponse, error) {
 	claims := claimsFromContext(ctx)
 
+	// Security: only allow renewal when the token has consumed at least 50% of
+	// its lifetime. This prevents indefinite renewal of stolen tokens (SEC-03).
+	totalLifetime := claims.ExpiresAt.Sub(claims.IssuedAt)
+	elapsed := time.Since(claims.IssuedAt)
+	if elapsed < totalLifetime/2 {
+		return nil, status.Error(codes.InvalidArgument, "token is not yet eligible for renewal")
+	}
+
 	acct, err := a.s.db.GetAccountByUUID(claims.Subject)
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "account not found")