Replace passlib with bcrypt directly to fix Python 3.12 compatibility

passlib 1.7.4 runs an internal bcrypt wrap-bug test on startup that
fails with bcrypt 4.x because it uses a >72 byte test password.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/services/auth.py

@@ -1,18 +1,16 @@
 from datetime import datetime, timedelta
 from typing import Optional
+import bcrypt
 from jose import JWTError, jwt
-from passlib.context import CryptContext
 from ..config import get_settings
 
-pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
-
 
 def hash_password(password: str) -> str:
-    return pwd_context.hash(password)
+    return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
 
 
 def verify_password(plain: str, hashed: str) -> bool:
-    return pwd_context.verify(plain, hashed)
+    return bcrypt.checkpw(plain.encode(), hashed.encode())
 
 
 def create_token(user_id: str) -> str:

backend/requirements.txt

@@ -5,7 +5,7 @@ aiosqlite==0.20.0
 pydantic==2.9.2
 pydantic-settings==2.5.2
 python-jose[cryptography]==3.3.0
-passlib[bcrypt]==1.7.4
+bcrypt==4.2.0
 python-multipart==0.0.12
 httpx==0.27.2
 watchdog==5.0.3