feat: embed permission claims in JWT and add captcha verification

- Add GroupClaims model for JWT permission snapshots
- Add JWTPayload model for typed JWT decoding
- Refactor auth middleware: jwt_required (no DB) -> admin_required (no DB) -> auth_required (DB)
- Add UserBanStore for instant ban enforcement via Redis + memory fallback
- Fix status check bug: StrEnum is always truthy, use explicit != ACTIVE
- Shorten access_token expiry from 3h to 1h
- Add CaptchaScene enum and verify_captcha_if_needed service
- Add require_captcha dependency injection factory
- Add CLA document and new default settings
- Update all tests for new JWT API

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/unit/service/test_login.py

@@ -4,7 +4,7 @@ Login 服务的单元测试
 import pytest
 from sqlmodel.ext.asyncio.session import AsyncSession
 
-from sqlmodels.user import User, LoginRequest, TokenResponse
+from sqlmodels.user import User, LoginRequest, TokenResponse, UserStatus
 from sqlmodels.group import Group
 from service.user.login import login
 from utils.password.pwd import Password
@@ -22,7 +22,7 @@ async def setup_user(db_session: AsyncSession):
     user = User(
         email="loginuser@test.local",
         password=Password.hash(plain_password),
-        status=True,
+        status=UserStatus.ACTIVE,
         group_id=group.id
     )
     user = await user.save(db_session)
@@ -43,7 +43,7 @@ async def setup_banned_user(db_session: AsyncSession):
     user = User(
         email="banneduser@test.local",
         password=Password.hash("password"),
-        status=False,  # 封禁状态
+        status=UserStatus.ADMIN_BANNED,  # 封禁状态
         group_id=group.id
     )
     user = await user.save(db_session)
@@ -63,7 +63,7 @@ async def setup_2fa_user(db_session: AsyncSession):
     user = User(
         email="2fauser@test.local",
         password=Password.hash("password"),
-        status=True,
+        status=UserStatus.ACTIVE,
         two_factor=secret,
         group_id=group.id
     )