security: fix 6 vulnerabilities identified in SDLC audit

- fix(auth): enforce API key scopes in require_role/require_any_role;
  attach _api_key_scopes to user on API key auth; add require_scope()
  dependency — scopes were stored but never enforced (CWE-285)

- fix(sso): read SECURE_COOKIES env var for SSO cookie instead of
  hardcoded secure=False — SAML sessions now respect HTTPS config (CWE-614)

- fix(webhooks): SSRF prevention — validate webhook URLs against private
  and reserved CIDRs at creation/update time (CWE-918)

- fix(knowledge): restrict playbook/lesson create, update and restore
  to admin/red_lead/blue_lead roles — was open to any authenticated user (CWE-284)

- fix(alerts): restrict alert acknowledge/resolve/dismiss to admin/lead
  roles — any user could silence security alerts (CWE-284)

- security: delete get_admin_creds.py, check_auth.py, deploy.py scripts
  containing hardcoded root SSH credentials and production DB access;
  add scripts/.gitignore to prevent reintroduction (CWE-798)

backend/app/dependencies/auth.py

@@ -123,11 +123,27 @@ async def require_password_changed(
     return current_user
 
 
+def _check_api_key_scope(user: User, required_scope: str) -> None:
+    """Raise 403 if the request was authenticated via an API key that lacks *required_scope*.
+
+    When authenticated via JWT (browser session), ``_api_key_scopes`` is not set
+    and the check is skipped — full access is granted based on role alone.
+    """
+    key_scopes = getattr(user, "_api_key_scopes", None)
+    if key_scopes is not None and required_scope not in key_scopes:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=f"API key scope '{required_scope}' required for this operation",
+        )
+
+
 def require_role(required_role: str):
     """Return a FastAPI dependency that enforces *required_role*.
 
     The dependency allows the request to proceed when
     ``user.role == required_role`` **or** ``user.role == "admin"``.
+    Also enforces API key scopes: admin-role endpoints require the ``admin``
+    scope; all other role-restricted endpoints require ``write``.
     Otherwise it raises :class:`~fastapi.HTTPException` **403**.
     """
 
@@ -139,6 +155,8 @@ def require_role(required_role: str):
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail="Not enough permissions",
             )
+        scope = "admin" if required_role == "admin" else "write"
+        _check_api_key_scope(current_user, scope)
         return current_user
 
     return role_checker
@@ -147,7 +165,11 @@ def require_role(required_role: str):
 def require_any_role(*roles: str):
     """Return a FastAPI dependency that enforces **any** of the given *roles*.
 
-    Admins always pass.  Usage example::
+    Admins always pass.  Also enforces API key scopes: if the only accepted
+    role is ``admin``, the key must carry the ``admin`` scope; otherwise the
+    ``write`` scope is required.
+
+    Usage example::
 
         @router.patch("/resource", dependencies=[Depends(require_any_role("red_lead", "blue_lead"))])
     """
@@ -160,6 +182,27 @@ def require_any_role(*roles: str):
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail="Not enough permissions",
             )
+        scope = "admin" if set(roles) == {"admin"} else "write"
+        _check_api_key_scope(current_user, scope)
         return current_user
 
     return role_checker
+
+
+def require_scope(scope: str):
+    """Return a dependency that enforces the API key carries *scope*.
+
+    JWT-authenticated requests (browser sessions) bypass this check entirely.
+    Use on mutation endpoints that don't already use ``require_role`` /
+    ``require_any_role``::
+
+        @router.post("/resource", dependencies=[Depends(require_scope("write"))])
+    """
+
+    async def scope_checker(
+        current_user: User = Depends(get_current_user),
+    ) -> User:
+        _check_api_key_scope(current_user, scope)
+        return current_user
+
+    return scope_checker