feat(auth): deny-by-default gate middleware + require_role

Adds operator_gate Starlette HTTP middleware that gates every route
except an explicit allow-list. Flag defaults OFF so all existing
behaviour and tests are unchanged. wire_operator_auth helper in
conftest lets tests monkeypatch the module-global SessionLocal and
flag, keeping the gate's own DB session pointed at the test engine.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/conftest.py

@@ -62,3 +62,15 @@ def make_project(db_session, name=None, **kwargs):
     db_session.add(p)
     db_session.commit()
     return p
+
+
+def wire_operator_auth(monkeypatch, db_session, enabled=True):
+    """Point the gate middleware's SessionLocal at the test engine and flip the
+    flag. The middleware opens its OWN session (it can't use the get_db override),
+    so it must read the same engine the test writes to."""
+    import backend.operator_auth as oa
+    from sqlalchemy.orm import sessionmaker
+    maker = sessionmaker(bind=db_session.get_bind(), autocommit=False, autoflush=False)
+    monkeypatch.setattr(oa, "SessionLocal", maker, raising=False)
+    monkeypatch.setattr(oa, "OPERATOR_AUTH_ENABLED", enabled, raising=False)
+    return oa