feat: add Keycloak authentication for dashboard and API endpoints (#2)

Dashboard: OAuth2/OIDC login flow with PKCE, session-based auth middleware
protecting all server function endpoints, check-auth server function for
frontend auth state, login page gate in AppShell, user info in sidebar.

Agent API: JWT validation middleware using Keycloak JWKS endpoint,
conditionally enabled when KEYCLOAK_URL and KEYCLOAK_REALM are set.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Co-authored-by: Sharang Parnerkar <parnerkarsharang@gmail.com>
Reviewed-on: #2

compliance-dashboard/src/infrastructure/auth_check.rs

@@ -0,0 +1,32 @@
+use compliance_core::models::auth::AuthInfo;
+use dioxus::prelude::*;
+
+/// Check the current user's authentication state.
+///
+/// Reads the tower-sessions session on the server and returns an
+/// [`AuthInfo`] describing the logged-in user. When no valid session
+/// exists, `authenticated` is `false` and all other fields are empty.
+#[server(endpoint = "check-auth")]
+pub async fn check_auth() -> Result<AuthInfo, ServerFnError> {
+    use super::auth::LOGGED_IN_USER_SESS_KEY;
+    use super::user_state::UserStateInner;
+    use dioxus_fullstack::FullstackContext;
+
+    let session: tower_sessions::Session = FullstackContext::extract().await?;
+
+    let user_state: Option<UserStateInner> = session
+        .get(LOGGED_IN_USER_SESS_KEY)
+        .await
+        .map_err(|e| ServerFnError::new(format!("session read failed: {e}")))?;
+
+    match user_state {
+        Some(u) => Ok(AuthInfo {
+            authenticated: true,
+            sub: u.sub,
+            email: u.user.email,
+            name: u.user.name,
+            avatar_url: u.user.avatar_url,
+        }),
+        None => Ok(AuthInfo::default()),
+    }
+}