feat: add Keycloak authentication for dashboard and API endpoints (#2)

Dashboard: OAuth2/OIDC login flow with PKCE, session-based auth middleware
protecting all server function endpoints, check-auth server function for
frontend auth state, login page gate in AppShell, user info in sidebar.

Agent API: JWT validation middleware using Keycloak JWKS endpoint,
conditionally enabled when KEYCLOAK_URL and KEYCLOAK_REALM are set.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com>
Reviewed-on: #2

compliance-core/src/models/auth.rs

@@ -0,0 +1,14 @@
+use serde::{Deserialize, Serialize};
+
+/// Authentication state returned by the `check_auth` server function.
+///
+/// When no valid session exists, `authenticated` is `false` and all
+/// other fields are empty strings.
+#[derive(Debug, Clone, Serialize, Deserialize, Default, PartialEq)]
+pub struct AuthInfo {
+    pub authenticated: bool,
+    pub sub: String,
+    pub email: String,
+    pub name: String,
+    pub avatar_url: String,
+}

compliance-core/src/models/mod.rs

@@ -1,3 +1,4 @@
+pub mod auth;
 pub mod chat;
 pub mod cve;
 pub mod dast;
@@ -9,6 +10,7 @@ pub mod repository;
 pub mod sbom;
 pub mod scan;
 
+pub use auth::AuthInfo;
 pub use chat::{ChatMessage, ChatRequest, ChatResponse, SourceReference};
 pub use cve::{CveAlert, CveSource};
 pub use dast::{