feat(auth): accept refapp signed login JWT as Bearer for per-user attribution
verifyRefappToken validates refapp's HMAC-SHA256 login JWT (shared
REFAPP_TOKEN_SECRET) and maps it to a discord-type actor, so refserver audit
logs and participant checks attribute actions to the real user. Mirrors
refapp's token version check; documents the bounded revocation gap.