perf: run bcrypt on a thread so it doesn't block the event loop

verify_password / get_password_hash are CPU-bound and take ~250ms each
at rounds=12. Called directly from async endpoints, they stall every
other coroutine for that window — the single biggest single-worker
bottleneck on the login path.

Adds averify_password / ahash_password that wrap the sync versions in
asyncio.to_thread. Sync versions stay put because _ensure_admin_user and
tests still use them.

5 call sites updated: login, change-password, create-user, reset-password.
tests/test_auth_async.py asserts parallel averify runs concurrently (~1x
of a single verify, not 2x).

decnet/web/auth.py

@@ -1,3 +1,4 @@
+import asyncio
 from datetime import datetime, timedelta, timezone
 from typing import Optional, Any
 import jwt
@@ -24,6 +25,15 @@ def get_password_hash(password: str) -> str:
     return _hashed.decode("utf-8")
 
 
+async def averify_password(plain_password: str, hashed_password: str) -> bool:
+    # bcrypt is CPU-bound and ~250ms/call; keep it off the event loop.
+    return await asyncio.to_thread(verify_password, plain_password, hashed_password)
+
+
+async def ahash_password(password: str) -> str:
+    return await asyncio.to_thread(get_password_hash, password)
+
+
 def create_access_token(data: dict[str, Any], expires_delta: Optional[timedelta] = None) -> str:
     _to_encode: dict[str, Any] = data.copy()
     _expire: datetime