[AZ-178] Fix Critical/High security findings: auth, CVEs, non-root containers, per-job SSE

- Pin all deps; h11==0.16.0 (CVE-2025-43859), python-multipart>=1.3.1 (CVE-2026-28356), PyJWT==2.12.1
- Add HMAC JWT verification (require_auth FastAPI dependency, JWT_SECRET-gated)
- Fix TokenManager._refresh() to use ADMIN_API_URL instead of ANNOTATIONS_URL
- Rename POST /detect → POST /detect/image (image-only, rejects video files)
- Replace global SSE stream with per-job SSE: GET /detect/{media_id} with event replay buffer
- Apply require_auth to all 4 protected endpoints
- Fix on_annotation/on_status closure to use mutable current_id for correct post-upload event routing
- Add non-root appuser to Dockerfile and Dockerfile.gpu
- Add JWT_SECRET to e2e/docker-compose.test.yml and run-tests.sh
- Update all e2e tests and unit tests for new endpoints and HMAC token signing
- 64/64 tests pass

Made-with: Cursor

tests/test_az174_db_driven_config.py

@@ -1,5 +1,6 @@
 import base64
 import json
+import os
 import time
 from unittest.mock import MagicMock, patch
 
@@ -8,6 +9,14 @@ from fastapi import HTTPException
 
 
 def _access_jwt(sub: str = "u1") -> str:
+    secret = os.environ.get("JWT_SECRET", "")
+    if secret:
+        import jwt as pyjwt
+        return pyjwt.encode(
+            {"exp": int(time.time()) + 3600, "sub": sub},
+            secret,
+            algorithm="HS256",
+        )
     raw = json.dumps(
         {"exp": int(time.time()) + 3600, "sub": sub}, separators=(",", ":")
     ).encode()
@@ -19,11 +28,7 @@ def test_token_manager_decode_user_id_sub():
     # Arrange
     from main import TokenManager
 
-    raw = json.dumps(
-        {"sub": "user-abc", "exp": int(time.time()) + 3600}, separators=(",", ":")
-    ).encode()
-    payload = base64.urlsafe_b64encode(raw).decode().rstrip("=")
-    token = f"hdr.{payload}.sig"
+    token = _access_jwt("user-abc")
     # Act
     uid = TokenManager.decode_user_id(token)
     # Assert