Remove unused `jwt` dependency (duplicate of python-jose)

Problem

Both python-jose[cryptography] and jwt are listed as dependencies in pyproject.toml. They serve the same purpose — JWT encode/decode. The codebase uses python-jose (imported as jose); the jwt package appears to be unused.

Keeping both increases the attack surface and dependency footprint unnecessarily.

Location

pyproject.toml

Fix

1. Confirm jwt is not imported anywhere: grep -r "import jwt" app/
2. Remove jwt>=1.4.0 from pyproject.toml
3. Run uv sync

Effort

Low (~15 min)