[AZ-178] Fix Critical/High security findings: auth, CVEs, non-root containers, per-job SSE

- Pin all deps; h11==0.16.0 (CVE-2025-43859), python-multipart>=1.3.1 (CVE-2026-28356), PyJWT==2.12.1
- Add HMAC JWT verification (require_auth FastAPI dependency, JWT_SECRET-gated)
- Fix TokenManager._refresh() to use ADMIN_API_URL instead of ANNOTATIONS_URL
- Rename POST /detect → POST /detect/image (image-only, rejects video files)
- Replace global SSE stream with per-job SSE: GET /detect/{media_id} with event replay buffer
- Apply require_auth to all 4 protected endpoints
- Fix on_annotation/on_status closure to use mutable current_id for correct post-upload event routing
- Add non-root appuser to Dockerfile and Dockerfile.gpu
- Add JWT_SECRET to e2e/docker-compose.test.yml and run-tests.sh
- Update all e2e tests and unit tests for new endpoints and HMAC token signing
- 64/64 tests pass

Made-with: Cursor

.env.example

@@ -0,0 +1,26 @@
+# Azaion.Detections — Environment Variables
+# Copy to .env and fill in actual values
+
+# External service URLs
+LOADER_URL=http://loader:8080
+ANNOTATIONS_URL=http://annotations:8080
+
+# Authentication (HMAC secret shared with Admin API; if empty, auth is not enforced)
+JWT_SECRET=
+
+# Remote Admin API for token refresh (if empty, refresh is skipped — offline/field mode)
+ADMIN_API_URL=
+
+# File paths
+CLASSES_JSON_PATH=classes.json
+LOG_DIR=Logs
+VIDEOS_DIR=./data/videos
+IMAGES_DIR=./data/images
+
+# Container registry (for deployment scripts)
+REGISTRY=your-registry.example.com
+IMAGE_TAG=latest
+
+# Remote deployment target (for deploy.sh)
+DEPLOY_HOST=
+DEPLOY_USER=deploy