Summary

Closes #71. The jwt field on Session/NewSession/SessionRef was written and cloned but never read after #70 — handle_logout switched to session.jti, destroy_others_by_canonical_id returns JTIs, and handle_ticket mints fresh ticket JWTs from session claims rather than the stored one. The session-time JWT was never returned to the client either (callback/register/login all set just the session-id cookie + a user-info JSON body — no JWT).

Dropped the field from all three structs and removed mint_callback_jwt entirely; its three callers now just generate a JTI inline via JtiRevocationStore::generate_jti(). handle_login's no-longer-needed ProviderIdentity construction and verified destructure also dropped.

No behavior change. Pure cleanup; types affected are crate-private (only SessionStore and JtiRevocationStore are re-exported).

Test plan

• cargo make clippy — clean (workspace + no-default + wasm + default)
• cargo test -p mqdb-agent --features http-api session_store — 8/8 pass
• cargo make dev — only failure is the pre-existing mqtt_transport_heartbeat_roundtrip (local port 11883 held by a long-running mqdb agent), unrelated to this branch