security: reject refresh tokens used as access tokens (C-02)

get_current_user and get_current_user_optional now reject any token
whose payload carries type="refresh". Access tokens carry no type field
so the check is asymmetric and safe. Prevents a refresh-cookie value
from being replayed as a Bearer access token.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/core/dependencies.py

@@ -21,6 +21,13 @@ async def get_current_user(
 ) -> User:
     token = credentials.credentials
     payload = decode_token(token)
+
+    if payload.get("type") == "refresh":
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Could not validate credentials",
+        )
+
     user_id: str = payload.get("sub")
 
     if user_id is None:
@@ -77,6 +84,9 @@ async def get_current_user_optional(
             return None
 
         payload = decode_token(token)
+        if payload.get("type") == "refresh":
+            return None
+
         user_id: str = payload.get("sub")
 
         if user_id is None: