Refactor codebase following Clean Code principles and add 229 tests

- Extract helpers to reduce function sizes (listing_tasks, app.py, query.py, listing_fetcher)
  - Replace nonlocal mutations with _PipelineState dataclass in listing_tasks
  - Fix bugs: isinstance→equality check in repository, verify_exp for OIDC tokens
  - Consolidate duplicate filter methods in listing_repository
  - Move hardcoded config to env vars with backward-compatible defaults
  - Simplify CLI decorator to auto-build QueryParameters
  - Add deprecation docstring to data_access.py
  - Test count: 158 → 387 (all passing)

crawler/api/auth.py

@@ -59,7 +59,6 @@ async def _verify_authentik_token(token: str) -> User:
         algorithms=["RS256"],
         audience=OIDC_CLIENT_ID,
         issuer=metadata["issuer"],
-        options={"verify_exp": False},
     )
     return User(**payload)
 
@@ -84,7 +83,9 @@ async def get_current_user(
 ) -> User:
     token = credentials.credentials
     try:
-        # Peek at unverified issuer to route verification
+        # Decode WITHOUT verification just to read the "iss" claim for routing.
+        # This is safe: we only use the issuer to decide which verified decode
+        # path to take next; the actual security check happens in the branch below.
         unverified = jwt.decode(
             token, options={"verify_signature": False, "verify_exp": False}
         )