feat(auth): jti claim and token-revocation store

Stateless JWTs had no revocation path: a stolen token stayed valid for
its full 24h even after the victim changed their password, and there was
no logout. This lays the foundation for revoking them.

- User.tokens_valid_from: per-user bulk-revocation cutoff (compared against
  the token's iat). RevokedToken(jti PK, exp): single-token denylist, pruned
  opportunistically on insert so it never outgrows live-but-revoked tokens.
- login() now mints a jti; create_access_token already stamps iat/exp.
- repo.revoke_token / is_token_revoked / set_tokens_valid_from (abstract +
  shared sqlmodel impl + DummyRepo coverage stubs).
- Centralized validate path in dependencies.py: every auth dependency now
  resolves the user and fails closed on (1) missing jti (legacy/pre-deploy
  token -> one forced re-login), (2) iat before the cutoff, (3) a denylisted
  jti. Denylist lookups ride a 10s membership cache mirroring the user cache.
- Contract/fuzz harness seeds its fixed-uuid principal under
  DECNET_CONTRACT_TEST so its minted token resolves to a live admin user.

tests/api/test_schemathesis.py

@@ -47,7 +47,11 @@ pytestmark = pytest.mark.xdist_group("schemathesis")
 import decnet.web.auth
 decnet.web.auth.SECRET_KEY = TEST_SECRET
 
-TEST_TOKEN = create_access_token({"uuid": "00000000-0000-0000-0000-000000000001"})
+# jti is mandatory post token-revocation; the matching user is seeded by the
+# server under DECNET_CONTRACT_TEST (sqlmodel_repo._ensure_contract_user).
+TEST_TOKEN = create_access_token(
+    {"uuid": "00000000-0000-0000-0000-000000000001", "jti": "contract-test-jti"}
+)
 
 ALL_CHECKS = (
     not_a_server_error,