api: expand FastAPI surface for scenarios, networth, life-events, goals, simulate

Adds the read+write endpoints the frontend needs to drive a
ProjectionLab-style UX on top of the existing engine.

- /networth, /networth/history    — NW total + per-account from
                                     account_snapshot (frontend chart)
- /scenarios CRUD + projection    — list/get/create/patch/delete user
                                     scenarios; cartesian read-only
- /scenarios/{id}/life-events     — life event CRUD nested under scenario
- /life-events/{id}               — patch + delete by id
- /scenarios/{id}/goals,
  /goals/{id}                     — retirement goal CRUD
- /simulate, /compare             — sync, no-DB-write what-if endpoints

Auth: Bearer-token dependency on writes + simulate when API_BEARER_TOKEN
is set; reads always open (lock down via Authentik-fronted ingress in
prod). Existing /recompute keeps its bearer auth.

CORS middleware reads FRONTEND_ORIGINS (comma-separated) for the dev
SPA. Lifespan now provisions the SQLAlchemy engine + session_factory
on app.state and disposes them on shutdown.

40 new tests covering happy paths and validation. 172 tests total.
mypy strict + ruff clean (B008 ignore added — Depends() in defaults
is the canonical FastAPI pattern, not a bug).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

fire_planner/api/auth.py

@@ -0,0 +1,42 @@
+"""Bearer-token auth shared across routers.
+
+Two modes, picked at startup from env:
+- API_BEARER_TOKEN set → enforce Bearer auth on all write/compute paths
+- API_BEARER_TOKEN unset (dev) → no auth, log a one-time warning
+
+Read endpoints (`/networth`, `/scenarios`, ...) skip auth entirely so
+the frontend can render without juggling tokens during dev. Lock those
+down later via Authentik-fronted ingress when we deploy.
+"""
+from __future__ import annotations
+
+import hmac
+import logging
+import os
+
+from fastapi import Header, HTTPException
+
+log = logging.getLogger(__name__)
+
+_warned_unauth = False
+
+
+def _read_token() -> str | None:
+    return os.environ.get("API_BEARER_TOKEN") or os.environ.get("RECOMPUTE_BEARER_TOKEN")
+
+
+async def require_bearer(authorization: str | None = Header(default=None)) -> None:
+    """FastAPI dependency: enforce bearer auth IF API_BEARER_TOKEN is set."""
+    expected = _read_token()
+    if not expected:
+        global _warned_unauth
+        if not _warned_unauth:
+            log.warning("API_BEARER_TOKEN unset — write endpoints are open. "
+                        "Set it before exposing this service.")
+            _warned_unauth = True
+        return
+    if not authorization or not authorization.startswith("Bearer "):
+        raise HTTPException(status_code=401, detail="Missing bearer token")
+    token = authorization.removeprefix("Bearer ")
+    if not hmac.compare_digest(token, expected):
+        raise HTTPException(status_code=401, detail="Invalid token")