feat(auth): jti claim and token-revocation store

Stateless JWTs had no revocation path: a stolen token stayed valid for
its full 24h even after the victim changed their password, and there was
no logout. This lays the foundation for revoking them.

- User.tokens_valid_from: per-user bulk-revocation cutoff (compared against
  the token's iat). RevokedToken(jti PK, exp): single-token denylist, pruned
  opportunistically on insert so it never outgrows live-but-revoked tokens.
- login() now mints a jti; create_access_token already stamps iat/exp.
- repo.revoke_token / is_token_revoked / set_tokens_valid_from (abstract +
  shared sqlmodel impl + DummyRepo coverage stubs).
- Centralized validate path in dependencies.py: every auth dependency now
  resolves the user and fails closed on (1) missing jti (legacy/pre-deploy
  token -> one forced re-login), (2) iat before the cutoff, (3) a denylisted
  jti. Denylist lookups ride a 10s membership cache mirroring the user cache.
- Contract/fuzz harness seeds its fixed-uuid principal under
  DECNET_CONTRACT_TEST so its minted token resolves to a live admin user.

decnet/web/router/auth/api_login.py

@@ -1,6 +1,7 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 from datetime import timedelta
 from typing import Any, Optional
+from uuid import uuid4
 
 from fastapi import APIRouter, HTTPException, Request, status
 
@@ -52,9 +53,11 @@ async def login(request: Request, payload: LoginRequest) -> dict[str, Any]:
         )
 
     _access_token_expires: timedelta = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
-    # Token uses uuid instead of sub
+    # Token uses uuid instead of sub; jti is the per-token id the denylist
+    # keys on (logout). create_access_token stamps exp + iat.
     _access_token: str = create_access_token(
-        data={"uuid": _user["uuid"]}, expires_delta=_access_token_expires
+        data={"uuid": _user["uuid"], "jti": uuid4().hex},
+        expires_delta=_access_token_expires,
     )
     return {
         "access_token": _access_token,