perf: cache auth user-lookup and admin list_users

The per-request SELECT users WHERE uuid=? in require_role was the
hidden tax behind every authed endpoint — it kept _execute at ~60%
across the profile even after the page caches landed. Even /health
(with its DB and Docker probes cached) was still 52% _execute from
this one query.

- dependencies.py: 10s TTL cache on get_user_by_uuid, well below JWT
  expiry. invalidate_user_cache(uuid) is called on password change,
  role change, and user delete.
- api_get_config.py: 5s TTL cache on the admin branch's list_users()
  (previously fetched every /config call). Invalidated on user
  create/update/delete.
- api_change_pass.py + api_manage_users.py: invalidation hooks on
  all user-mutating endpoints.

decnet/web/router/auth/api_change_pass.py

@@ -4,7 +4,7 @@ from fastapi import APIRouter, Depends, HTTPException, status
 
 from decnet.telemetry import traced as _traced
 from decnet.web.auth import ahash_password, averify_password
-from decnet.web.dependencies import get_current_user_unchecked, repo
+from decnet.web.dependencies import get_current_user_unchecked, invalidate_user_cache, repo
 from decnet.web.db.models import ChangePasswordRequest
 
 router = APIRouter()
@@ -30,4 +30,5 @@ async def change_password(request: ChangePasswordRequest, current_user: str = De
 
     _new_hash: str = await ahash_password(request.new_password)
     await repo.update_user_password(current_user, _new_hash, must_change_password=False)
+    invalidate_user_cache(current_user)
     return {"message": "Password updated successfully"}

decnet/web/router/config/api_get_config.py

@@ -20,13 +20,45 @@ _STATE_TTL = 5.0
 _state_cache: dict[str, tuple[Optional[dict[str, Any]], float]] = {}
 _state_locks: dict[str, asyncio.Lock] = {}
 
+# Admin branch fetched repo.list_users() on every /config call — cache 5s,
+# invalidate on user create/update/delete so the admin UI stays consistent.
+_USERS_TTL = 5.0
+_users_cache: tuple[Optional[list[dict[str, Any]]], float] = (None, 0.0)
+_users_lock: Optional[asyncio.Lock] = None
+
 
 def _reset_state_cache() -> None:
     """Reset cached config state — used by tests."""
+    global _users_cache, _users_lock
     _state_cache.clear()
     # Drop any locks bound to the previous event loop — reusing one from
     # a dead loop deadlocks the next test.
     _state_locks.clear()
+    _users_cache = (None, 0.0)
+    _users_lock = None
+
+
+def invalidate_list_users_cache() -> None:
+    global _users_cache
+    _users_cache = (None, 0.0)
+
+
+async def _get_list_users_cached() -> list[dict[str, Any]]:
+    global _users_cache, _users_lock
+    value, ts = _users_cache
+    now = time.monotonic()
+    if value is not None and now - ts < _USERS_TTL:
+        return value
+    if _users_lock is None:
+        _users_lock = asyncio.Lock()
+    async with _users_lock:
+        value, ts = _users_cache
+        now = time.monotonic()
+        if value is not None and now - ts < _USERS_TTL:
+            return value
+        value = await repo.list_users()
+        _users_cache = (value, time.monotonic())
+        return value
 
 
 async def _get_state_cached(name: str) -> Optional[dict[str, Any]]:
@@ -76,7 +108,7 @@ async def api_get_config(user: dict = Depends(require_viewer)) -> dict:
     }
 
     if user["role"] == "admin":
-        all_users = await repo.list_users()
+        all_users = await _get_list_users_cached()
         base["users"] = [
             UserResponse(
                 uuid=u["uuid"],

decnet/web/router/config/api_manage_users.py

@@ -4,7 +4,8 @@ from fastapi import APIRouter, Depends, HTTPException
 
 from decnet.telemetry import traced as _traced
 from decnet.web.auth import ahash_password
-from decnet.web.dependencies import require_admin, repo
+from decnet.web.dependencies import require_admin, invalidate_user_cache, repo
+from decnet.web.router.config.api_get_config import invalidate_list_users_cache
 from decnet.web.db.models import (
     CreateUserRequest,
     UpdateUserRoleRequest,
@@ -43,6 +44,7 @@ async def api_create_user(
         "role": req.role,
         "must_change_password": True,  # nosec B105 — not a password
     })
+    invalidate_list_users_cache()
     return UserResponse(
         uuid=user_uuid,
         username=req.username,
@@ -71,6 +73,8 @@ async def api_delete_user(
     deleted = await repo.delete_user(user_uuid)
     if not deleted:
         raise HTTPException(status_code=404, detail="User not found")
+    invalidate_user_cache(user_uuid)
+    invalidate_list_users_cache()
     return {"message": "User deleted"}
 
 
@@ -99,6 +103,8 @@ async def api_update_user_role(
         raise HTTPException(status_code=404, detail="User not found")
 
     await repo.update_user_role(user_uuid, req.role)
+    invalidate_user_cache(user_uuid)
+    invalidate_list_users_cache()
     return {"message": "User role updated"}
 
 
@@ -128,4 +134,6 @@ async def api_reset_user_password(
         await ahash_password(req.new_password),
         must_change_password=True,
     )
+    invalidate_user_cache(user_uuid)
+    invalidate_list_users_cache()
     return {"message": "Password reset successfully"}