test(api): repair pre-existing rotted tests (SSE ticket flow, password policy)

These had been red since the changes they cover landed — invisible because
the pre-commit gate runs mypy/ruff/bandit/pip-audit but NOT pytest, so failing
tests don't block commits and quietly accumulate.

- SSE stream/events auth migrated from ?token=<jwt> to a single-use ?ticket=
  (commit efb4e49d). Three tests still passed a raw JWT as ?token= and got
  401. Updated to mint a ticket via POST /auth/sse-ticket and pass ?ticket=
  (attacker events, topology events, /stream).
- The user-creation password policy is min_length=12; the RBAC admin-access
  test still used a 10-char password and was rejected. Bumped to a valid one.

tests/api/attackers/test_events_stream.py

@@ -106,9 +106,17 @@ async def test_events_missing_attacker_404(auth_token, _fake_app_bus):
     async with httpx.AsyncClient(
         transport=httpx.ASGITransport(app=app), base_url="http://test",
     ) as ac:
+        # SSE auth is a single-use ?ticket= minted from the JWT (EventSource
+        # can't set headers); a raw ?token= is no longer accepted.
+        tr = await ac.post(
+            "/api/v1/auth/sse-ticket",
+            headers={"Authorization": f"Bearer {auth_token}"},
+        )
+        assert tr.status_code == 200, tr.text
+        ticket = tr.json()["ticket"]
         r = await ac.get(
             f"{_V1}/{_OTHER_UUID}/events",
-            params={"token": auth_token},
+            params={"ticket": ticket},
         )
         assert r.status_code == 404