fix(security): replace python-jose with PyJWT to eliminate ecdsa CVEs

Snyk scan found 3 High severity vulns: two in ecdsa (pulled by python-jose)
and one in diskcache (pulled by pySigma, never imported). Remove both
vulnerable dependencies and migrate JWT handling to PyJWT. Fix
test_logout_revokes_token which broke because test stubs sys.modules[jose]
with a MagicMock at collection time; test now uses PyJWT directly.

backend/app/routers/auth.py

@@ -16,8 +16,8 @@ from fastapi import APIRouter, Cookie, Depends, Request, Response
 # Import OAuth2PasswordRequestForm from fastapi.security
 from fastapi.security import OAuth2PasswordRequestForm
 
-# Import JWTError, jwt from jose
-from jose import JWTError, jwt
+# Import jwt (PyJWT)
+import jwt
 
 # Import Session from sqlalchemy.orm
 from sqlalchemy.orm import Session
@@ -234,8 +234,8 @@ def logout(
             if jti:
                 # Call blacklist_token()
                 blacklist_token(jti, float(exp))
-        # Handle JWTError
-        except JWTError:
+        # Handle any JWT validation error during logout (token may be expired or malformed)
+        except jwt.exceptions.InvalidTokenError:
             # Intentional no-op placeholder
             pass