[AZ-178] Fix Critical/High security findings: auth, CVEs, non-root containers, per-job SSE

- Pin all deps; h11==0.16.0 (CVE-2025-43859), python-multipart>=1.3.1 (CVE-2026-28356), PyJWT==2.12.1
- Add HMAC JWT verification (require_auth FastAPI dependency, JWT_SECRET-gated)
- Fix TokenManager._refresh() to use ADMIN_API_URL instead of ANNOTATIONS_URL
- Rename POST /detect → POST /detect/image (image-only, rejects video files)
- Replace global SSE stream with per-job SSE: GET /detect/{media_id} with event replay buffer
- Apply require_auth to all 4 protected endpoints
- Fix on_annotation/on_status closure to use mutable current_id for correct post-upload event routing
- Add non-root appuser to Dockerfile and Dockerfile.gpu
- Add JWT_SECRET to e2e/docker-compose.test.yml and run-tests.sh
- Update all e2e tests and unit tests for new endpoints and HMAC token signing
- 64/64 tests pass

Made-with: Cursor

run-tests.sh

@@ -49,6 +49,7 @@ PIDS+=($!)
 echo "Starting detections service on :$DETECTIONS_PORT ..."
 LOADER_URL="http://localhost:$LOADER_PORT" \
 ANNOTATIONS_URL="http://localhost:$ANNOTATIONS_PORT" \
+JWT_SECRET="test-secret-local-only" \
 PYTHONPATH="$ROOT/src" \
     "$PY" -m uvicorn main:app --host 0.0.0.0 --port "$DETECTIONS_PORT" \
     --log-level warning >/dev/null 2>&1 &
@@ -73,5 +74,6 @@ BASE_URL="http://localhost:$DETECTIONS_PORT" \
 MOCK_LOADER_URL="http://localhost:$LOADER_PORT" \
 MOCK_ANNOTATIONS_URL="http://localhost:$ANNOTATIONS_PORT" \
 MEDIA_DIR="$FIXTURES" \
+JWT_SECRET="test-secret-local-only" \
 PYTHONPATH="$ROOT/src" \
     "$PY" -m pytest e2e/tests/ tests/ -v --tb=short --durations=0 "$@"