Merge SEC-03: require token proximity for renewal

# Conflicts:
#	internal/server/server_test.go

internal/grpcserver/auth.go

@@ -6,6 +6,7 @@ import (
 	"context"
 	"fmt"
 	"net"
+	"time"
 
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/peer"
@@ -156,6 +157,14 @@ func (a *authServiceServer) Logout(ctx context.Context, _ *mciasv1.LogoutRequest
 func (a *authServiceServer) RenewToken(ctx context.Context, _ *mciasv1.RenewTokenRequest) (*mciasv1.RenewTokenResponse, error) {
 	claims := claimsFromContext(ctx)
 
+	// Security: only allow renewal when the token has consumed at least 50% of
+	// its lifetime. This prevents indefinite renewal of stolen tokens (SEC-03).
+	totalLifetime := claims.ExpiresAt.Sub(claims.IssuedAt)
+	elapsed := time.Since(claims.IssuedAt)
+	if elapsed < totalLifetime/2 {
+		return nil, status.Error(codes.InvalidArgument, "token is not yet eligible for renewal")
+	}
+
 	acct, err := a.s.db.GetAccountByUUID(claims.Subject)
 	if err != nil {
 		return nil, status.Error(codes.Unauthenticated, "account not found")