feat(student): join-form disclaimer + matrix-driven anti-cheat tests

The portal's hijack-recovery flow has a non-obvious fairness property —
asking the instructor to reset your slot zeros every already-closed
question (status: missed) regardless of who triggered the reset. That
makes false-hijack claims strictly self-penalising and forecloses
"ask for a reset to retry Q1" as an attack on engagement scoring.

Surface this contract to students before they join: a native
<details>/<summary> accordion under the join form, styled with the
warn-tinted token palette, lays out the rules in plain language. No JS
required; keyboard- and SR-friendly.

tests/test_hijack_matrix.py: 11 end-to-end tests walking the
{hijack y/n} × {reset y/n} matrix:
- Cell A baseline (normal play)
- Cell B1 false-claim self-penalisation (full credit + partial credit)
- Cell B2 self-cleared cookie -> same penalty path
- Cell C hijacker without recovery holds the slot; audit accumulates
- Cell D hijack + recovery zeros closed Qs, kicks hijacker, normal next Q
- D-during-open-Q lets re-claimer use the remaining opened_at clock
- DELETE /admin/api/students/* requires admin auth (otherwise the
  recovery hatch becomes a hijacker tool)
- Repeated 409 attempts each accrue duplicate_join audit rows
- Stale post-recovery cookie cannot pollute the audit log
- Strict non-increase: even an instant-correct (1.00) is zeroed on reset

69/69 pytest green.

static/style.css

@@ -1256,6 +1256,54 @@ h2.question-text.small {
 .options.student-reveal li.yours.correct::before { color: var(--correct-border); }
 .options.student-reveal li.yours.wrong-pick::before { color: var(--wrong-border); }
 
+/* ---------- Join-form disclaimer accordion ---------- */
+
+.join-disclaimer {
+  border: 1px solid var(--border);
+  border-left: 3px solid var(--warn);
+  border-radius: 2px;
+  background: color-mix(in srgb, var(--warn) 4%, var(--surface));
+  padding: 0;
+  font-size: 0.86rem;
+  line-height: 1.45;
+}
+.join-disclaimer > summary {
+  cursor: pointer;
+  list-style: none;
+  padding: 11px 14px;
+  font-family: var(--font-sans);
+  font-size: 0.74rem;
+  font-weight: 700;
+  letter-spacing: 0.16em;
+  text-transform: uppercase;
+  color: var(--warn);
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 10px;
+}
+.join-disclaimer > summary::-webkit-details-marker { display: none; }
+.join-disclaimer > summary::after {
+  content: "+";
+  font-family: var(--font-mono);
+  font-weight: 600;
+  font-size: 0.95rem;
+  letter-spacing: 0;
+  color: var(--warn);
+  transition: transform 0.18s ease;
+}
+.join-disclaimer[open] > summary::after { content: "−"; }
+.join-disclaimer > ul {
+  margin: 0;
+  padding: 0 18px 14px 32px;
+  display: grid;
+  gap: 6px;
+  color: var(--text-soft);
+}
+.join-disclaimer > ul li { padding-left: 2px; }
+.join-disclaimer > ul li b { color: var(--text); font-weight: 600; }
+.join-disclaimer > ul li em { font-style: italic; color: var(--text); }
+
 /* ---------- Live presence panel (admin) ---------- */
 
 .presence-panel { padding: 18px 20px 16px; }