security: fix 6 vulnerabilities identified in SDLC audit

- fix(auth): enforce API key scopes in require_role/require_any_role;
  attach _api_key_scopes to user on API key auth; add require_scope()
  dependency — scopes were stored but never enforced (CWE-285)

- fix(sso): read SECURE_COOKIES env var for SSO cookie instead of
  hardcoded secure=False — SAML sessions now respect HTTPS config (CWE-614)

- fix(webhooks): SSRF prevention — validate webhook URLs against private
  and reserved CIDRs at creation/update time (CWE-918)

- fix(knowledge): restrict playbook/lesson create, update and restore
  to admin/red_lead/blue_lead roles — was open to any authenticated user (CWE-284)

- fix(alerts): restrict alert acknowledge/resolve/dismiss to admin/lead
  roles — any user could silence security alerts (CWE-284)

- security: delete get_admin_creds.py, check_auth.py, deploy.py scripts
  containing hardcoded root SSH credentials and production DB access;
  add scripts/.gitignore to prevent reintroduction (CWE-798)

backend/app/services/api_key_service.py

@@ -148,4 +148,8 @@ def authenticate_raw_key(db: Session, raw_key: str) -> Optional[User]:
     if user is None or not user.is_active:
         return None
 
+    # Attach the key's scopes to the user instance so scope-enforcement
+    # dependencies can verify them without an additional DB query.
+    # _api_key_scopes=None means "full user access" (JWT path).
+    user._api_key_scopes = key.scopes or []
     return user