cosmetics sync.

auth (once per session):
  POST /api/auth/begin   {username}                  -> {server_id}
    mod calls Mojang sessionserver/join with server_id
  POST /api/auth/finish  {server_id, username}       -> {token, uuid}

session (mod opens these on game-server-join, closes on leave):
  POST /api/session/join     {session_id}
  POST /api/session/leave
  POST /api/session/heartbeat
  GET  /api/stream                 [SSE: cosmetic_changed / player_joined / player_left]

cosmetic state:
  PUT  /api/cosmetics        {equipped: {SLOT: id, ...}}
  GET  /api/cosmetics/{uuid}
  POST /api/cosmetics/batch  {uuids: [...]}

misc:
  GET  /api/slots
  GET  /api/stats

all endpoints except /api/auth/* and / require Authorization: Bearer <jwt>.