chore(deps): bump PyJWT floor to >=2.13.0 for upstream advisories

  pip-audit flagged four advisories against 2.12.1, all fixed in 2.13.0.
  Audited the five behavioural changes in 2.13.0 against our usage; none
  apply (HMAC empty-key reject can't trigger, OIDC decode uses raw-key
  path not PyJWK, jwks_uri is HTTPS from discovery, no b64=false usage,
  enforce_minimum_key_length not opted into). 229 auth/MFA/OIDC
  integration tests + 78 auth unit tests green on 2.13.0; runtime
  encode/decode roundtrip verified with the real SECRET_KEY; pip-audit
  --strict now clean.

pyproject.toml

@@ -83,5 +83,5 @@ markers = [
 [dependency-groups]
 dev = [
     "cryptography>=46.0.7",
-    "pyjwt>=2.12.1",
+    "pyjwt>=2.13.0",
 ]

requirements.txt

@@ -66,7 +66,7 @@ fast-simplification>=0.1.0
 psutil>=6.0.0
 
 # Authentication
-PyJWT>=2.12.0
+PyJWT>=2.13.0
 passlib[bcrypt]>=1.7.4
 ldap3>=2.9.0
 pyotp>=2.9.0