Add project-level authorization checks

Authorization:
- Add AuthorizationService for checking project access
- Implement get_user_access_level() with admin, owner, and permission checks
- Add check_project_access() helper for route handlers
- Add grant_access() and revoke_access() methods
- Add ProjectAccessChecker dependency class

Routes:
- Add authorization checks to project CRUD (read, update, delete)
- Add authorization checks to package create
- Add authorization checks to upload endpoint (requires write)
- Add authorization checks to download endpoint (requires read)
- Add authorization checks to tag create

Tests:
- Fix pagination flakiness in test_list_projects
- Fix pagination flakiness in test_projects_search
- Add API key authentication to concurrent upload test

backend/tests/conftest.py

@@ -182,9 +182,10 @@ def test_app():
 @pytest.fixture
 def integration_client():
     """
-    Create a test client for integration tests.
+    Create an authenticated test client for integration tests.
 
     Uses the real database and MinIO from docker-compose.local.yml.
+    Authenticates as admin for write operations.
     """
     from httpx import Client
 
@@ -192,6 +193,15 @@ def integration_client():
     base_url = os.environ.get("ORCHARD_TEST_URL", "http://localhost:8080")
 
     with Client(base_url=base_url, timeout=30.0) as client:
+        # Login as admin to enable write operations
+        login_response = client.post(
+            "/api/v1/auth/login",
+            json={"username": "admin", "password": "changeme123"},
+        )
+        # If login fails, tests will fail - that's expected if auth is broken
+        if login_response.status_code != 200:
+            # Try to continue without auth for backward compatibility
+            pass
         yield client