feat(enterprise): Phase 14 — API Key Management + SSO/SAML 2.0

- ApiKey model (SHA-256 hash, prefix, scopes, expiry) + Alembic migration (b040ent)
- SsoConfig model for SAML 2.0 IdP settings (attribute mapping, auto-provision)
- API key auth integrated into get_current_user (aegis_ prefix detection)
- Routers: /api/v1/api-keys (full CRUD + revoke) and /api/v1/sso (metadata, login, callback, config)
- python3-saml added to requirements; Dockerfile adds libxmlsec1-dev for SAML XML signing
- QA script: 52 assertions covering key lifecycle, API key auth, SSO config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/main.py

@@ -44,6 +44,8 @@ from app.routers import attack_paths as attack_paths_router
 from app.routers import knowledge as knowledge_router
 from app.routers import risk_intelligence as risk_router
 from app.routers import executive_dashboard as dashboard_router
+from app.routers import api_keys as api_keys_router
+from app.routers import sso as sso_router
 from app.domain.errors import DomainError
 from app.middleware.error_handler import domain_exception_handler
 from app.middleware.request_context import RequestContextMiddleware
@@ -147,6 +149,8 @@ app.include_router(attack_paths_router.router, prefix="/api/v1")
 app.include_router(knowledge_router.router, prefix="/api/v1")
 app.include_router(risk_router.router, prefix="/api/v1")
 app.include_router(dashboard_router.router, prefix="/api/v1")
+app.include_router(api_keys_router.router, prefix="/api/v1")
+app.include_router(sso_router.router, prefix="/api/v1")
 
 
 @app.get("/health", include_in_schema=False)