fix(swarm): require admin JWT on all swarm operator endpoints

Gate all 8 swarm-controller operator routes (enroll, list/get/decommission
hosts, deploy, teardown, check, list deckies) with the centralized
require_admin RBAC dependency alongside require_operator_cert; mTLS becomes
defense-in-depth instead of the only gate. /heartbeat stays cert-fingerprint
pinned (worker-facing) and /swarm/health stays open (liveness only).

CLI swarm commands now send Authorization: Bearer $DECNET_API_TOKEN with a
401/403 hint covering the must_change_password bootstrap flow.

Bump pyjwt to 2.13.0 and pip to 26.1.2 (pip-audit PYSEC-2026-175/177/178/179,
PYSEC-2026-196); authz suite re-verified on the new pyjwt.

Closes ASVS_L2_AUDIT.md V4.1.1a and V4.1.1b (CRITICAL).

tests/swarm/test_heartbeat.py

@@ -15,6 +15,12 @@ from decnet.web.db.factory import get_repository
 from decnet.web.dependencies import get_repo
 from decnet.web.router.swarm import api_heartbeat as hb_mod
 
+# NOTE: /swarm/enroll now requires an admin JWT (V4.1.1). The autouse
+# `_bypass_swarm_admin_gate` fixture in tests/swarm/conftest.py installs a
+# no-op require_admin override so this behavior suite's enroll-based setup
+# keeps working. /swarm/heartbeat itself stays worker-facing (cert fingerprint
+# pinning, no JWT) and is unaffected by the gate.
+
 
 # ------------------------- shared fixtures (mirror test_swarm_api.py) ---
 
@@ -51,8 +57,9 @@ def client(repo, ca_dir: pathlib.Path):
         return repo
 
     app.dependency_overrides[get_repo] = _override
-    # loopback client so /swarm/enroll (operator-gated) accepts the certless
-    # local-operator path during test setup.
+    # loopback client so /swarm/enroll accepts the certless local-operator
+    # transport path; the admin gate is bypassed by the autouse conftest
+    # fixture (this suite tests heartbeat, not the JWT gate).
     with TestClient(app, client=("127.0.0.1", 50000)) as c:
         yield c
     app.dependency_overrides.clear()