invalidate http sessions on mqtt password change and reset

[fabracht]

Summary

• Closes MQTT password-change does not invalidate HTTP sessions #69 (MQTT scope of invalidate other sessions on password change #37). handle_password_change_mqtt and handle_password_reset_submit_mqtt now destroy every HTTP session for the affected user and revoke their JTIs, matching the HTTP-path behavior added in invalidate other sessions on password change #68.
• HttpServerConfig now owns the Arc<SessionStore> and Arc<JtiRevocationStore>, so the same instances back both the HTTP server and the MQTT handler task. MqdbAgent snapshots the Arcs in with_http_config and threads Option references through MessageContext → AdminContext (Option because cluster-agent mode has no HTTP server).
• Cleanup along the way: Session/NewSession/SessionRef carry the jti directly (captured when the JWT is minted), so destroy_others_by_canonical_id returns JTIs instead of JWTs and handle_logout no longer decodes its own session's JWT. mint_callback_jwt returns (jwt, jti) — all three callers updated. JtiRevocationStore::revoke now warn!s when the MAX_REVOKED_JTIS cap is hit (invalidate other sessions on password change #68 review nit).

Test plan

• cargo make dev (format + clippy + tests) — clean; the one pre-existing failure is mqdb-cluster::mqtt_transport_heartbeat_roundtrip because port 11883 is held by a local frontend POC agent, unrelated to this branch
• 2 new unit tests in session_store.rs (destroy_others_skips_empty_jti_sessions, revoke_many_revokes_all_jtis); existing 3 destroy-others tests rewritten around JTIs