[AZ-178] Fix Critical/High security findings: auth, CVEs, non-root containers, per-job SSE

- Pin all deps; h11==0.16.0 (CVE-2025-43859), python-multipart>=1.3.1 (CVE-2026-28356), PyJWT==2.12.1
- Add HMAC JWT verification (require_auth FastAPI dependency, JWT_SECRET-gated)
- Fix TokenManager._refresh() to use ADMIN_API_URL instead of ANNOTATIONS_URL
- Rename POST /detect → POST /detect/image (image-only, rejects video files)
- Replace global SSE stream with per-job SSE: GET /detect/{media_id} with event replay buffer
- Apply require_auth to all 4 protected endpoints
- Fix on_annotation/on_status closure to use mutable current_id for correct post-upload event routing
- Add non-root appuser to Dockerfile and Dockerfile.gpu
- Add JWT_SECRET to e2e/docker-compose.test.yml and run-tests.sh
- Update all e2e tests and unit tests for new endpoints and HMAC token signing
- 64/64 tests pass

Made-with: Cursor

e2e/tests/test_resource_limits.py

@@ -8,11 +8,12 @@ import pytest
 @pytest.mark.slow
 @pytest.mark.timeout(120)
 def test_nft_res_lim_03_max_detections_per_frame(
-    warm_engine, http_client, image_dense
+    warm_engine, http_client, image_dense, auth_headers
 ):
     r = http_client.post(
-        "/detect",
+        "/detect/image",
         files={"file": ("img.jpg", image_dense, "image/jpeg")},
+        headers=auth_headers,
         timeout=120,
     )
     assert r.status_code == 200
@@ -22,10 +23,11 @@ def test_nft_res_lim_03_max_detections_per_frame(
 
 
 @pytest.mark.slow
-def test_nft_res_lim_04_log_file_rotation(warm_engine, http_client, image_small):
+def test_nft_res_lim_04_log_file_rotation(warm_engine, http_client, image_small, auth_headers):
     http_client.post(
-        "/detect",
+        "/detect/image",
         files={"file": ("img.jpg", image_small, "image/jpeg")},
+        headers=auth_headers,
         timeout=60,
     )
     candidates = [