fix(security): replace python-jose with PyJWT to eliminate ecdsa CVEs

Snyk scan found 3 High severity vulns: two in ecdsa (pulled by python-jose)
and one in diskcache (pulled by pySigma, never imported). Remove both
vulnerable dependencies and migrate JWT handling to PyJWT. Fix
test_logout_revokes_token which broke because test stubs sys.modules[jose]
with a MagicMock at collection time; test now uses PyJWT directly.

backend/app/dependencies/auth.py

@@ -19,8 +19,8 @@ from fastapi import Cookie, Depends, HTTPException, status
 # Import OAuth2PasswordBearer from fastapi.security
 from fastapi.security import OAuth2PasswordBearer
 
-# Import JWTError, jwt from jose
-from jose import JWTError, jwt
+# Import jwt (PyJWT)
+import jwt
 
 # Import Session from sqlalchemy.orm
 from sqlalchemy.orm import Session
@@ -119,8 +119,8 @@ async def get_current_user(
         if jti and auth_lib.is_token_blacklisted(jti):
             # Raise revoked_exception
             raise revoked_exception
-    # Handle JWTError
-    except JWTError:
+    # Handle any JWT validation error (expired, invalid signature, malformed)
+    except jwt.exceptions.InvalidTokenError:
         # Raise credentials_exception
         raise credentials_exception