feat(enterprise): Phase 14 — API Key Management + SSO/SAML 2.0

- ApiKey model (SHA-256 hash, prefix, scopes, expiry) + Alembic migration (b040ent)
- SsoConfig model for SAML 2.0 IdP settings (attribute mapping, auto-provision)
- API key auth integrated into get_current_user (aegis_ prefix detection)
- Routers: /api/v1/api-keys (full CRUD + revoke) and /api/v1/sso (metadata, login, callback, config)
- python3-saml added to requirements; Dockerfile adds libxmlsec1-dev for SAML XML signing
- QA script: 52 assertions covering key lifecycle, API key auth, SSO config

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/models/api_key.py

@@ -0,0 +1,81 @@
+"""Phase 14: API Key model for programmatic access."""
+
+import hashlib
+import secrets
+import uuid
+from datetime import datetime
+
+from sqlalchemy import Boolean, Column, DateTime, ForeignKey, Index, String, Text
+from sqlalchemy.dialects.postgresql import JSONB, UUID
+from sqlalchemy.orm import relationship
+
+from app.database import Base
+
+# ── Key generation constants ──────────────────────────────────────────────────
+KEY_PREFIX  = "aegis_"
+KEY_BYTES   = 32    # 32 random bytes → 64 hex chars → 70-char key total
+DISPLAY_LEN = 12    # chars stored as prefix for UI display
+
+
+def generate_raw_key() -> str:
+    """Generate a fresh raw API key (must be shown to user only once)."""
+    return KEY_PREFIX + secrets.token_hex(KEY_BYTES)
+
+
+def hash_key(raw_key: str) -> str:
+    """SHA-256 hash of a raw API key for secure storage."""
+    return hashlib.sha256(raw_key.encode()).hexdigest()
+
+
+def key_prefix_display(raw_key: str) -> str:
+    """First DISPLAY_LEN characters of the raw key (safe for UI)."""
+    return raw_key[:DISPLAY_LEN]
+
+
+# ── Valid scopes ──────────────────────────────────────────────────────────────
+VALID_SCOPES = {"read", "write", "admin"}
+
+
+class ApiKey(Base):
+    """
+    Scoped API key for programmatic / BI / SOAR access.
+
+    The full raw key is **never stored** — only a SHA-256 hash.
+    The first 12 characters (``key_prefix``) are retained for display.
+    """
+
+    __tablename__ = "api_keys"
+
+    id          = Column(UUID(as_uuid=True), primary_key=True, default=uuid.uuid4)
+    name        = Column(String(200), nullable=False)
+    description = Column(Text, nullable=True)
+
+    # Display only — never use for auth
+    key_prefix  = Column(String(DISPLAY_LEN + 1), nullable=False)
+
+    # Auth token — SHA-256 of the full raw key
+    key_hash    = Column(String(64), nullable=False, unique=True)
+
+    # Owner
+    user_id     = Column(
+        UUID(as_uuid=True),
+        ForeignKey("users.id", ondelete="CASCADE"),
+        nullable=False,
+    )
+
+    # Permissions
+    scopes      = Column(JSONB, nullable=False, default=["read"])   # ["read","write","admin"]
+
+    # Lifecycle
+    last_used_at = Column(DateTime, nullable=True)
+    expires_at   = Column(DateTime, nullable=True)
+    is_active    = Column(Boolean, nullable=False, default=True)
+    created_at   = Column(DateTime, default=datetime.utcnow)
+
+    user = relationship("User", foreign_keys=[user_id])
+
+    __table_args__ = (
+        Index("ix_api_keys_user_id",  "user_id"),
+        Index("ix_api_keys_key_hash", "key_hash"),
+        Index("ix_api_keys_active",   "is_active"),
+    )