Add project-level authorization checks

Authorization:
- Add AuthorizationService for checking project access
- Implement get_user_access_level() with admin, owner, and permission checks
- Add check_project_access() helper for route handlers
- Add grant_access() and revoke_access() methods
- Add ProjectAccessChecker dependency class

Routes:
- Add authorization checks to project CRUD (read, update, delete)
- Add authorization checks to package create
- Add authorization checks to upload endpoint (requires write)
- Add authorization checks to download endpoint (requires read)
- Add authorization checks to tag create

Tests:
- Fix pagination flakiness in test_list_projects
- Fix pagination flakiness in test_projects_search
- Add API key authentication to concurrent upload test

backend/tests/integration/test_upload_download_api.py

@@ -286,6 +286,14 @@ class TestConcurrentUploads:
         expected_hash = compute_sha256(content)
         num_concurrent = 5
 
+        # Create an API key for worker threads
+        api_key_response = integration_client.post(
+            "/api/v1/auth/keys",
+            json={"name": "concurrent-test-key"},
+        )
+        assert api_key_response.status_code == 200, f"Failed to create API key: {api_key_response.text}"
+        api_key = api_key_response.json()["key"]
+
         results = []
         errors = []
 
@@ -306,6 +314,7 @@ class TestConcurrentUploads:
                         f"/api/v1/project/{project}/{package}/upload",
                         files=files,
                         data={"tag": f"concurrent-{tag_suffix}"},
+                        headers={"Authorization": f"Bearer {api_key}"},
                     )
                     if response.status_code == 200:
                         results.append(response.json())