feat: embed permission claims in JWT and add captcha verification

- Add GroupClaims model for JWT permission snapshots
- Add JWTPayload model for typed JWT decoding
- Refactor auth middleware: jwt_required (no DB) -> admin_required (no DB) -> auth_required (DB)
- Add UserBanStore for instant ban enforcement via Redis + memory fallback
- Fix status check bug: StrEnum is always truthy, use explicit != ACTIVE
- Shorten access_token expiry from 3h to 1h
- Add CaptchaScene enum and verify_captcha_if_needed service
- Add require_captcha dependency injection factory
- Add CLA document and new default settings
- Update all tests for new JWT API

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

sqlmodels/migration.py

@@ -29,6 +29,10 @@ default_settings: list[Setting] = [
     Setting(name="siteKeywords", value="网盘，网盘", type=SettingsType.BASIC),
     Setting(name="siteDes", value="DiskNext", type=SettingsType.BASIC),
     Setting(name="siteTitle", value="云星启智", type=SettingsType.BASIC),
+    Setting(name="site_notice", value="", type=SettingsType.BASIC),
+    Setting(name="footer_code", value="", type=SettingsType.BASIC),
+    Setting(name="tos_url", value="", type=SettingsType.BASIC),
+    Setting(name="privacy_url", value="", type=SettingsType.BASIC),
     Setting(name="fromName", value="DiskNext", type=SettingsType.MAIL),
     Setting(name="mail_keepalive", value="30", type=SettingsType.MAIL),
     Setting(name="fromAdress", value="no-reply@yxqi.cn", type=SettingsType.MAIL),