feat(gdpr): consume UserDeleted and cascade device/MQTT cleanup

[MarkCesium]

Summary

On UserDeleted, devices-owned artifacts for that user must be wiped: user MQTT credentials in Redis, role cache entries, and any device tokens that the user was the sole authorizer for (rare, mostly affects places#P2 cascade).

Changes

• New consumer on auth.user.deleted in backend/devices/src/infra/broker/routes.py.
• Calls mqtt_auth.invalidate_user_credentials(user_id) (extend backend/devices/src/services/mqtt_auth.py).
• Removes user entries from role cache via role_cache.remove_user(user_id).
• Idempotent via feat(reliability): idempotent Kafka consumers with processed-events table #13.

Blocked by

• feat(gdpr): DeleteUser RPC and UserDeleted event emission auth#6

Verification

• Delete user U holding active MQTT WebSocket session.
• Session dropped within seconds; reconnect with old creds returns auth_failed.
• Redis shows no mqtt:cred:user:<uid> entry.