Feat: Implement JWT bearer token authentication

Protects image upload, delete, and tag-update endpoints behind
Bearer token auth. Public read endpoints remain open. Angular SPA
gains a login page, auth interceptor, and route guard for /upload.

- JWTAuthProvider (HS256, sub/iat/exp, secrets.compare_digest)
- POST /api/v1/auth/token login endpoint
- require_auth FastAPI dependency on all write routes
- AuthService, LoginComponent, authInterceptor, authGuard
- Detail page hides write controls for unauthenticated visitors
- 43 unit tests passing; integration tests require Docker stack

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

api/app/auth/provider.py

@@ -10,5 +10,5 @@ class Identity:
 
 class AuthProvider(ABC):
     @abstractmethod
-    async def get_identity(self) -> Identity:
-        """Resolve the request identity."""
+    async def get_identity(self, authorization: str | None) -> Identity:
+        """Resolve the request identity from the Authorization header value."""