feat(enterprise): Phase 14 — API Key Management + SSO/SAML 2.0

- ApiKey model (SHA-256 hash, prefix, scopes, expiry) + Alembic migration (b040ent)
- SsoConfig model for SAML 2.0 IdP settings (attribute mapping, auto-provision)
- API key auth integrated into get_current_user (aegis_ prefix detection)
- Routers: /api/v1/api-keys (full CRUD + revoke) and /api/v1/sso (metadata, login, callback, config)
- python3-saml added to requirements; Dockerfile adds libxmlsec1-dev for SAML XML signing
- QA script: 52 assertions covering key lifecycle, API key auth, SSO config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/dependencies/auth.py

@@ -4,6 +4,7 @@ Authentication and RBAC dependencies for FastAPI.
 Provides:
 - ``get_current_user``: decodes JWT from HttpOnly cookie (preferred) or
   Authorization header (fallback), fetches user from DB, raises 401 on failure.
+  Also accepts Aegis API keys (``aegis_…`` prefix) as Bearer tokens.
 - ``require_role``: factory that returns a dependency enforcing a specific role
   (admins always pass).
 """
@@ -19,6 +20,7 @@ from app import auth as auth_lib
 from app.config import settings
 from app.database import get_db
 from app.models.user import User
+from app.models.api_key import KEY_PREFIX
 
 # ---------------------------------------------------------------------------
 # OAuth2 scheme (reads Authorization header — used as fallback / Swagger UI)
@@ -68,6 +70,15 @@ async def get_current_user(
     if token is None:
         raise credentials_exception
 
+    # ── API Key path (Bearer token starts with "aegis_") ──────────────────
+    if token.startswith(KEY_PREFIX):
+        from app.services.api_key_service import authenticate_raw_key
+        user = authenticate_raw_key(db, token)
+        if user is None:
+            raise credentials_exception
+        return user
+
+    # ── JWT path ──────────────────────────────────────────────────────────
     try:
         payload = jwt.decode(
             token,