docs(app): auth migration notes for Flutter interceptor update

app/AUTH_MIGRATION_NOTES.md

@@ -0,0 +1,60 @@
+# Auth Migration Notes — Opaque Token Session Model
+
+The backend dropped HS256 JWTs in favour of opaque token pairs (access + refresh).
+The Flutter auth interceptor needs the following changes before the next mobile release.
+
+## 1. Fix retry using wrong Dio instance
+
+`app/lib/core/network/auth_interceptor.dart` line ~55:
+
+```dart
+// Before (wrong — bypasses logging and other interceptors on retry):
+return _refreshDio.fetch(opts);
+
+// After:
+return _dio.fetch(opts);
+```
+
+## 2. Token field rename
+
+The `/auth/login`, `/auth/register`, and `/auth/refresh` responses no longer include
+`session_token` or `expires_in`. The new shape is:
+
+```json
+{ "data": { "access_token": "...", "refresh_token": "..." } }
+```
+
+Update the auth DTO / model class and `flutter_secure_storage` keys accordingly:
+- `session_token` → `refresh_token`
+- Remove `expires_in` field
+
+## 3. Refresh request format
+
+The refresh endpoint no longer accepts a JSON body. Send the token via header:
+
+```dart
+options.headers['X-Refresh-Token'] = refreshToken;
+```
+
+Remove `body: jsonEncode({'session_token': refreshToken})` from the refresh call.
+
+## 4. Proactive refresh
+
+Store `expiresAt = DateTime.now().add(Duration(minutes: 30))` in
+`flutter_secure_storage` alongside the access token.
+
+In the request interceptor, before sending, check:
+
+```dart
+if (DateTime.now().isAfter(expiresAt.subtract(Duration(seconds: 60)))) {
+  await _performRefresh();
+}
+```
+
+This prevents visible 401s on active users with expiring tokens.
+
+## 5. Handle reuse-detected error
+
+Map the new error code `auth.refresh_reuse_detected` (HTTP 401) to a hard logout:
+clear secure storage and navigate to the login screen with a
+`reason=session_compromised` query param so the UI can show an appropriate message.