Add Keycloak authentication for dashboard and API endpoints

Dashboard: OAuth2/OIDC login flow with PKCE, session-based auth middleware
protecting all server function endpoints, check-auth server function for
frontend auth state, login page gate in AppShell, user info in sidebar.

Agent API: JWT validation middleware using Keycloak JWKS endpoint,
conditionally enabled when KEYCLOAK_URL and KEYCLOAK_REALM are set.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

compliance-core/src/config.rs

@@ -24,6 +24,8 @@ pub struct AgentConfig {
     pub scan_schedule: String,
     pub cve_monitor_schedule: String,
     pub git_clone_base_path: String,
+    pub keycloak_url: Option<String>,
+    pub keycloak_realm: Option<String>,
 }
 
 #[derive(Clone, Debug, Serialize, Deserialize)]

compliance-core/src/models/auth.rs

@@ -0,0 +1,14 @@
+use serde::{Deserialize, Serialize};
+
+/// Authentication state returned by the `check_auth` server function.
+///
+/// When no valid session exists, `authenticated` is `false` and all
+/// other fields are empty strings.
+#[derive(Debug, Clone, Serialize, Deserialize, Default, PartialEq)]
+pub struct AuthInfo {
+    pub authenticated: bool,
+    pub sub: String,
+    pub email: String,
+    pub name: String,
+    pub avatar_url: String,
+}

compliance-core/src/models/mod.rs

@@ -1,3 +1,4 @@
+pub mod auth;
 pub mod chat;
 pub mod cve;
 pub mod dast;
@@ -9,6 +10,7 @@ pub mod repository;
 pub mod sbom;
 pub mod scan;
 
+pub use auth::AuthInfo;
 pub use chat::{ChatMessage, ChatRequest, ChatResponse, SourceReference};
 pub use cve::{CveAlert, CveSource};
 pub use dast::{