feat: add device public key and fingerprint for cross-layer binding

[felippemsc]

Summary

• Require public_key (Base64 uncompressed EC point) in POST /devices request- Compute device_public_key_fingerprint (SHA-256 hex of raw key bytes) and store both on the Device model as NOT NULL columns
• Carry fingerprint through session cache into JWT claims, binding the Capture Trust layer to the Media Integrity layer
• Add Alembic migration for the two new columns

Context

The sidecar's two layers (Capture Trust JWT + Media Integrity ECDSA proof) were not cryptographically bound.
An attacker could reuse a valid JWT with a forged media integrity proof signed by a different key pair.
Including the device's content-signing public key fingerprint in the JWT closes this gap.
Validators can now verify that the public key in the sidecar matches the one the server saw at registration.

Test plan

• All 21 unit tests pass (test_device.py, test_capture.py)
• All integration tests pass (test_device_flow.py, test_capture_flow.py, test_jwks.py)
• alembic upgrade head applies cleanly
• POST /devices without public_key returns 422
• POST /devices with public_key stores both key and fingerprint
• Full capture flow produces JWT with device_public_key_fingerprint claim
• SHA-256(base64_decode(public_key)) matches the JWT claim

[github-actions]

🚀 Release Candidate Deployed!

Version: v0.0.27-rc.46

The RC has been deployed to the dev environment. Check the /health endpoint to verify.

[github-actions]

🚀 Release Candidate Deployed!

Version: v0.0.28-rc.46

The RC has been deployed to the dev environment. Check the /health endpoint to verify.

[github-actions]

🚀 Release Candidate Deployed!

Version: v0.0.29-rc.46

The RC has been deployed to the dev environment. Check the /health endpoint to verify.