fix: pin bcrypt<4.0.0 to restore passlib compatibility

passlib 1.7.4 (unmaintained since 2020) is incompatible with bcrypt>=4.0:
- bcrypt 4.x removed bcrypt.__about__ (passlib version probe fails)
- bcrypt 4.x enforces 72-byte password limit strictly, crashing
  passlib's detect_wrap_bug() compatibility test during context init

Pinning bcrypt<4.0.0 is the standard workaround until passlib is replaced.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/requirements.txt

@@ -5,6 +5,7 @@ alembic==1.13.1
 psycopg2-binary==2.9.9
 python-jose[cryptography]==3.3.0
 passlib[bcrypt]==1.7.4
+bcrypt<4.0.0
 python-multipart==0.0.9
 pydantic[email]==2.7.1
 pydantic-settings==2.2.1