auth: issue RS256 session cookies when OIDC key is configured

Login endpoint switches from HS256 JWT to RS256 id_token (aud="bincio",
30-day TTL) when oidc_private_key_pem is set. Existing HS256 sessions
remain valid on bincio-activity until they naturally expire.

bincio/auth/deps.py

@@ -68,7 +68,12 @@ def _issue_jwt(user: User) -> str:
 _ID_TOKEN_TTL = 3600  # 1 hour — short-lived; clients use refresh or re-auth
 
 
-def _issue_id_token(user: User, client_id: str, nonce: str | None = None) -> str:
+def _issue_id_token(
+    user: User,
+    client_id: str,
+    nonce: str | None = None,
+    ttl: int | None = None,
+) -> str:
     """Issue an RS256 OIDC id_token for the given user and client."""
     claims: dict = {
         "iss": oidc_issuer,
@@ -83,7 +88,7 @@ def _issue_id_token(user: User, client_id: str, nonce: str | None = None) -> str
     }
     if nonce:
         claims["nonce"] = nonce
-    return create_id_token(claims, oidc_private_key_pem, _ID_TOKEN_TTL)
+    return create_id_token(claims, oidc_private_key_pem, ttl if ttl is not None else _ID_TOKEN_TTL)
 
 
 # ── Rate limiting ─────────────────────────────────────────────────────────────

bincio/auth/routers/auth.py

@@ -40,6 +40,9 @@ async def login(body: LoginRequest, request: Request) -> JSONResponse:
     if not user:
         raise HTTPException(401, "Invalid credentials")
 
+    if deps.oidc_private_key_pem:
+        token = deps._issue_id_token(user, client_id="bincio", ttl=deps._JWT_TTL)
+    else:
         token = deps._issue_jwt(user)
     resp = JSONResponse({
         "ok": True,