feat: embed permission claims in JWT and add captcha verification

- Add GroupClaims model for JWT permission snapshots
- Add JWTPayload model for typed JWT decoding
- Refactor auth middleware: jwt_required (no DB) -> admin_required (no DB) -> auth_required (DB)
- Add UserBanStore for instant ban enforcement via Redis + memory fallback
- Fix status check bug: StrEnum is always truthy, use explicit != ACTIVE
- Shorten access_token expiry from 3h to 1h
- Add CaptchaScene enum and verify_captcha_if_needed service
- Add require_captcha dependency injection factory
- Add CLA document and new default settings
- Update all tests for new JWT API

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/unit/models/test_user.py

@@ -5,7 +5,7 @@ import pytest
 from sqlalchemy.exc import IntegrityError
 from sqlmodel.ext.asyncio.session import AsyncSession
 
-from sqlmodels.user import User, ThemeType, UserPublic
+from sqlmodels.user import User, ThemeType, UserPublic, UserStatus
 from sqlmodels.group import Group
 
 
@@ -28,7 +28,7 @@ async def test_user_create(db_session: AsyncSession):
     assert user.id is not None
     assert user.email == "testuser@test.local"
     assert user.nickname == "测试用户"
-    assert user.status is True
+    assert user.status == UserStatus.ACTIVE
     assert user.storage == 0
     assert user.score == 0
 
@@ -131,7 +131,7 @@ async def test_user_status_default(db_session: AsyncSession):
     )
     user = await user.save(db_session)
 
-    assert user.status is True
+    assert user.status == UserStatus.ACTIVE
 
 
 @pytest.mark.asyncio