[AZ-178] Fix Critical/High security findings: auth, CVEs, non-root containers, per-job SSE

- Pin all deps; h11==0.16.0 (CVE-2025-43859), python-multipart>=1.3.1 (CVE-2026-28356), PyJWT==2.12.1
- Add HMAC JWT verification (require_auth FastAPI dependency, JWT_SECRET-gated)
- Fix TokenManager._refresh() to use ADMIN_API_URL instead of ANNOTATIONS_URL
- Rename POST /detect → POST /detect/image (image-only, rejects video files)
- Replace global SSE stream with per-job SSE: GET /detect/{media_id} with event replay buffer
- Apply require_auth to all 4 protected endpoints
- Fix on_annotation/on_status closure to use mutable current_id for correct post-upload event routing
- Add non-root appuser to Dockerfile and Dockerfile.gpu
- Add JWT_SECRET to e2e/docker-compose.test.yml and run-tests.sh
- Update all e2e tests and unit tests for new endpoints and HMAC token signing
- 64/64 tests pass

Made-with: Cursor

e2e/tests/test_streaming_video_upload.py

@@ -36,14 +36,21 @@ def _chunked_reader(path: str, chunk_size: int = 64 * 1024):
             yield chunk
 
 
-def _start_sse_listener(http_client) -> tuple[list[dict], list[BaseException], threading.Event]:
+def _start_sse_listener(
+    http_client, media_id: str, auth_headers: dict
+) -> tuple[list[dict], list[BaseException], threading.Event]:
     events: list[dict] = []
     errors: list[BaseException] = []
     first_event = threading.Event()
 
     def _listen():
         try:
-            with http_client.get("/detect/stream", stream=True, timeout=_TIMEOUT + 2) as resp:
+            with http_client.get(
+                f"/detect/{media_id}",
+                stream=True,
+                timeout=_TIMEOUT + 2,
+                headers=auth_headers,
+            ) as resp:
                 resp.raise_for_status()
                 for event in sseclient.SSEClient(resp).events():
                     if not event.data or not str(event.data).strip():
@@ -62,24 +69,30 @@ def _start_sse_listener(http_client) -> tuple[list[dict], list[BaseException], t
 
 
 @pytest.mark.timeout(10)
-def test_streaming_video_detections_appear_during_upload(warm_engine, http_client):
+def test_streaming_video_detections_appear_during_upload(
+    warm_engine, http_client, auth_headers
+):
     # Arrange
     video_path = _fixture_path("video_test01.mp4")
-    events, errors, first_event = _start_sse_listener(http_client)
-    time.sleep(0.3)
 
     # Act
     r = http_client.post(
         "/detect/video",
         data=_chunked_reader(video_path),
-        headers={"X-Filename": "video_test01.mp4", "Content-Type": "application/octet-stream"},
+        headers={
+            **auth_headers,
+            "X-Filename": "video_test01.mp4",
+            "Content-Type": "application/octet-stream",
+        },
         timeout=8,
     )
+    assert r.status_code == 200
+    media_id = r.json()["mediaId"]
+    events, errors, first_event = _start_sse_listener(http_client, media_id, auth_headers)
     first_event.wait(timeout=_TIMEOUT)
 
     # Assert
     assert not errors, f"SSE thread error: {errors}"
-    assert r.status_code == 200
     assert len(events) >= 1, "Expected at least one SSE event within 5s"
     print(f"\n  First {len(events)} SSE events:")
     for e in events:
@@ -87,24 +100,28 @@ def test_streaming_video_detections_appear_during_upload(warm_engine, http_clien
 
 
 @pytest.mark.timeout(10)
-def test_non_faststart_video_still_works(warm_engine, http_client):
+def test_non_faststart_video_still_works(warm_engine, http_client, auth_headers):
     # Arrange
     video_path = _fixture_path("video_test01.mp4")
-    events, errors, first_event = _start_sse_listener(http_client)
-    time.sleep(0.3)
 
     # Act
     r = http_client.post(
         "/detect/video",
         data=_chunked_reader(video_path),
-        headers={"X-Filename": "video_test01_plain.mp4", "Content-Type": "application/octet-stream"},
+        headers={
+            **auth_headers,
+            "X-Filename": "video_test01_plain.mp4",
+            "Content-Type": "application/octet-stream",
+        },
         timeout=8,
     )
+    assert r.status_code == 200
+    media_id = r.json()["mediaId"]
+    events, errors, first_event = _start_sse_listener(http_client, media_id, auth_headers)
     first_event.wait(timeout=_TIMEOUT)
 
     # Assert
     assert not errors, f"SSE thread error: {errors}"
-    assert r.status_code == 200
     assert len(events) >= 1, "Expected at least one SSE event within 5s"
     print(f"\n  First {len(events)} SSE events:")
     for e in events: