Add frontend access control enhancements and JWT support

- Hide New Project button for unauthenticated users, show login link
- Add lock icon for private projects on home page
- Show access level badges on project cards (Owner, Admin, Write, Read)
- Add permission expiration date field to AccessManagement component
- Add query timeout configuration for database (ORCHARD_DATABASE_QUERY_TIMEOUT)
- Add JWT token validation support for external identity providers
  - Configurable via ORCHARD_JWT_* environment variables
  - Supports HS256 with secret or RS256 with JWKS
  - Auto-provisions users from JWT claims

backend/app/config.py

@@ -25,6 +25,7 @@ class Settings(BaseSettings):
     database_pool_recycle: int = (
         1800  # Recycle connections after this many seconds (30 min)
     )
+    database_query_timeout: int = 30  # Query timeout in seconds (0 = no timeout)
 
     # S3
     s3_endpoint: str = ""
@@ -52,6 +53,17 @@ class Settings(BaseSettings):
     log_level: str = "INFO"  # DEBUG, INFO, WARNING, ERROR, CRITICAL
     log_format: str = "auto"  # "json", "standard", or "auto" (json in production)
 
+    # JWT Authentication settings (optional, for external identity providers)
+    jwt_enabled: bool = False  # Enable JWT token validation
+    jwt_secret: str = ""  # Secret key for HS256, or leave empty for RS256 with JWKS
+    jwt_algorithm: str = "HS256"  # HS256 or RS256
+    jwt_issuer: str = ""  # Expected issuer (iss claim), leave empty to skip validation
+    jwt_audience: str = ""  # Expected audience (aud claim), leave empty to skip validation
+    jwt_jwks_url: str = ""  # JWKS URL for RS256 (e.g., https://auth.example.com/.well-known/jwks.json)
+    jwt_username_claim: str = (
+        "sub"  # JWT claim to use as username (sub, email, preferred_username, etc.)
+    )
+
     @property
     def database_url(self) -> str:
         sslmode = f"?sslmode={self.database_sslmode}" if self.database_sslmode else ""