Backport From Pulse Again

[lbedner]

No description provided.

[Copilot]

Pull request overview

This PR backports several template/runtime updates across encryption, insights collection, and auth to improve security posture (versioned AEAD encryption), user experience (optional collectors can be “skipped” rather than “failed”), and extensibility (auth hooks + new auth helpers).

Changes:

• Replace Fernet-based column encryption with versioned AES-256-GCM ciphertexts, optional AAD “context” binding, and legacy (v1) decrypt support.
• Add CollectionResult.skipped and update Plausible + CLI/job logging to treat unconfigured optional sources as skipped.
• Extend auth service with post-user-created hooks, new credential/password helpers, and new deps (get_optional_user, get_verified_user, require_admin), plus related settings.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
aegis/templates/copier-aegis-project/{{ project_slug }}/tests/test_encryption.py.jinja	Updates/enhances encryption tests for AES-GCM, AAD context, and v2 prefix behavior.
aegis/templates/copier-aegis-project/{{ project_slug }}/tests/services/test_collector_plausible.py	Adjusts Plausible collector tests to assert “skipped” instead of failure when unconfigured.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/insights/jobs.py.jinja	Logs skipped collectors distinctly during scheduled collection runs.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/insights/collectors/plausible.py.jinja	Makes Plausible opt-in by returning skipped=True when missing configuration.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/insights/collectors/base.py.jinja	Adds skipped: bool to CollectionResult to distinguish “not configured” from failures.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/auth/user_service.py.jinja	Adds post-create hooks, password change + shared auth logic, and invalidates prior verification tokens on resend.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/auth/hooks.py	Introduces an extension-point hook registry for “post user created”.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/auth/deps.py.jinja	Adds optional-user, verified-user, and admin-only FastAPI deps.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/core/security.py.jinja	Scales access-token/session-cookie lifetime up in dev via a multiplier setting.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/core/encryption.py	Implements AES-GCM v2 encryption with version prefixing, optional AAD context, and key-rotation helpers.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/core/config.py.jinja	Adds ADMIN_USER_EMAILS, ENCRYPTION_KEY, and DEV_TOKEN_EXPIRE_MULTIPLIER settings.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/cli/insights.py.jinja	Prints skipped collector results as a yellow notice instead of success/failure.