feat(auth): add JWT Bearer token authentication support

pyproject.toml

@@ -53,7 +53,9 @@ dependencies = [
     "auth0-fastapi>=1.0.0b5,<2",
     "certifi>=2024",
     "fastapi>=0.110,<1",
+    "httpx>=0.28,<1",
     "loguru>=0.7,<1",
+    "PyJWT[cryptography]>=2.10,<3",
     "platformdirs>=4,<5",
     "psutil>=6",
     "pydantic>=2,<3",

src/aignostics_foundry_core/AGENTS.md

@@ -11,7 +11,7 @@ This file provides an overview of all modules in `aignostics_foundry_core`, thei
 | **models** | Shared output format enum | `OutputFormat` StrEnum with `YAML` and `JSON` values for use in CLI and API responses                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
 | **process** | Current process introspection | `ProcessInfo`, `ParentProcessInfo` Pydantic models and `get_process_info()` for runtime process metadata; `SUBPROCESS_CREATION_FLAGS` for subprocess creation                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
 | **api.exceptions** | API exception hierarchy and FastAPI handlers | `ApiException` (500), `NotFoundException` (404), `AccessDeniedException` (401); `api_exception_handler`, `unhandled_exception_handler`, `validation_exception_handler` for FastAPI registration                                                                                                                                                                                                                                                                                                                                                                                                                                            |
-| **api.auth** | Auth0 authentication FastAPI dependencies | `AuthSettings` (env-prefix and env files derived from `ctx.env_prefix`/`ctx.env_file`), `UnauthenticatedError`, `ForbiddenError` (403); `get_auth_client`, `get_user`, `require_authenticated`, `require_admin`, `require_internal`, `require_internal_admin` FastAPI dependencies; Auth0 cookie security schemes                                                                                                                                                                                                                                                                                                                          |
+| **api.auth** | Auth0 authentication FastAPI dependencies (cookie + Bearer JWT) | `AuthSettings` (env-prefix from `ctx.env_prefix`; fields: `cookie_enabled`, `enabled` (deprecated alias), `jwt_enabled`, `jwt_audience`, domain, credentials, org, role); `UnauthenticatedError`, `ForbiddenError` (403); `get_auth_client`, `get_user` (tries Bearer first, falls back to cookie), `require_authenticated`, `require_admin`, `require_internal`, `require_internal_admin` FastAPI dependencies; Auth0 cookie + Bearer security schemes for OpenAPI                                                                                                                                                                         |
 | **api.core** | Versioned API router and FastAPI factory | `VersionedAPIRouter` (tracks all created instances), `API_TAG_*` constants, `create_public/authenticated/admin/internal/internal_admin_router` factories, `build_api_metadata`, `build_versioned_api_tags`, `build_root_api_tags`, `get_versioned_api_instances(versions, build_metadata=None, *, context=None)`, `init_api()`                                                                                                                                                                                                                                                                                                             |
 | **api** | Consolidated API sub-package | Re-exports all public symbols from `api.exceptions`, `api.auth`, and `api.core`; import any API symbol directly from `aignostics_foundry_core.api`                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
 | **log** | Configurable loguru logging initialisation | `logging_initialize(filter_func=None, *, context=None)`, `LogSettings` (env-prefix configurable), `InterceptHandler` for stdlib-to-loguru bridging                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
@@ -108,22 +108,21 @@ This file provides an overview of all modules in `aignostics_foundry_core`, thei
 
 ### api.auth
 
-**Auth0 authentication and authorization FastAPI dependencies**
+**Auth0 authentication and authorization FastAPI dependencies (cookie + Bearer JWT)**
 
-- **Purpose**: Provides Auth0 cookie-based session authentication dependencies for FastAPI routes. All project-specific settings (org ID, role claim) are loaded from `AuthSettings` whose env prefix is configurable at instantiation.
+- **Purpose**: Provides Auth0 cookie-based session and JWT Bearer token authentication dependencies for FastAPI routes. Each `require_*` dependency accepts either an Auth0 session cookie **or** a Bearer JWT — Bearer is tried first, cookie is the fallback.
 - **Key Features**:
-  - `AuthSettings(OpaqueSettings)` — uses the active FoundryContext to derive both the env prefix (`{ctx.env_prefix}AUTH_`) and the env file list (`ctx.env_file`). Fields: `internal_org_id` (required `str`; identifies the internal organization), `auth0_role_claim` (required `str`; JWT claim name for role). Both fields are mandatory — no defaults are provided.
+  - `AuthSettings(OpaqueSettings)` — uses the active FoundryContext (`{ctx.env_prefix}AUTH_`). Key fields: `cookie_enabled` (`AUTH_COOKIE_ENABLED`; new primary name), `enabled` (`AUTH_ENABLED`; deprecated alias for `cookie_enabled`, kept for backwards compat), `jwt_enabled` (`AUTH_JWT_ENABLED`; opt-in Bearer JWT auth), `jwt_audience` (`AUTH_JWT_AUDIENCE`; required when `jwt_enabled=True`), `domain`, `client_id`, `client_secret`, `internal_org_id`, `role_claim`, `session_secret`, `session_expiration`.
   - `UnauthenticatedError(Exception)` — raised when a user session is missing or invalid
   - `ForbiddenError(ApiException)` — `status_code = 403`; raised when user lacks required role or org membership
   - `get_auth_client(request)` — retrieves `AuthClient` from `request.app.state.auth_client`; raises `RuntimeError` if not configured
-  - `get_user(request, _cookie)` — async FastAPI dependency; returns user dict from Auth0 session or `None`; validates expiry; sets Sentry user context
-  - `require_authenticated` — dependency: requires a valid session
-  - `require_admin` — dependency: requires admin role
-  - `require_internal` — dependency: requires internal organization membership
-  - `require_internal_admin` — dependency: requires internal org membership AND admin role
-  - Auth0 cookie security scheme constants: `AUTH0_SESSION_COOKIE_NAME`, `AUTH0_TRANSACTION_COOKIE_NAME`, `AUTH0_ROLE_ADMIN`
+  - `get_user(request, _cookie, _bearer)` — async FastAPI dependency; tries Bearer JWT first (when `jwt_enabled=True`), falls back to cookie; returns user dict or `None`; sets Sentry user context
+  - `require_authenticated`, `require_admin`, `require_internal`, `require_internal_admin` — FastAPI dependencies; each accepts both cookie and Bearer schemes in OpenAPI
+  - Cookie security schemes: `auth0_session_scheme`, `auth0_admin_scheme`, `auth0_internal_scheme`, `auth0_internal_admin_scheme` (`APIKeyCookie`)
+  - Bearer security schemes: `auth0_bearer_scheme`, `auth0_admin_bearer_scheme`, `auth0_internal_bearer_scheme`, `auth0_internal_admin_bearer_scheme` (`HTTPBearer`)
+  - Constants: `AUTH0_SESSION_COOKIE_NAME`, `AUTH0_TRANSACTION_COOKIE_NAME`, `AUTH0_ROLE_ADMIN`, `AUTH0_JWKS_ALGORITHMS`, `AUTH0_JWKS_CACHE_TTL`
 - **Location**: `aignostics_foundry_core/api/auth.py`
-- **Dependencies**: `auth0-fastapi>=1.0.0b5,<2`, `fastapi>=0.110,<1`, `loguru>=0.7,<1` (all mandatory)
+- **Dependencies**: `auth0-fastapi>=1.0.0b5,<2`, `fastapi>=0.110,<1`, `loguru>=0.7,<1`, `PyJWT[cryptography]>=2.10,<3`, `httpx>=0.28,<1` (all mandatory)
 - **Import**: `from aignostics_foundry_core.api.auth import AuthSettings, ForbiddenError, UnauthenticatedError, get_auth_client, get_user, require_authenticated, require_admin, require_internal, require_internal_admin`
 
 ### api.core