Security hardening.
- TokenIssuer validates secret/key length at construction (CWE-665)
- JWT jti uses secrets.token_hex instead of uuid4 (CWE-330)
- Warn when audience unset and on first in-memory token revocation
- verify_password logs unexpected errors instead of silently returning False (CWE-755)