fix(security): ship isolated JWT decorator hotfix

* fix(security): isolate dependency hotfix from github main

* fix(security): expose hotfix jwt decorators across routes

* test(e2e): restore stable app header selectors

* test(e2e): align planner and app shell checks

* test(e2e): add legacy settings page selectors

* test(e2e): align settings page contracts

backend/package.json

@@ -20,7 +20,6 @@
     "@fastify/cookie": "^11.0.2",
     "@fastify/cors": "^11.2.0",
     "@fastify/helmet": "^13.0.2",
-    "@fastify/jwt": "^10.0.0",
     "@fastify/multipart": "^9.4.0",
     "@fastify/rate-limit": "^10.3.0",
     "@fastify/sensible": "^6.0.4",
@@ -32,6 +31,8 @@
     "dotenv": "^17.3.1",
     "drizzle-orm": "^0.45.2",
     "fastify": "^5.8.4",
+    "fastify-plugin": "^5.0.1",
+    "jose": "^6.2.2",
     "nodemailer": "^8.0.4",
     "openid-client": "^6.8.2",
     "sharp": "^0.34.5",