feat(EM-39): Implement Spring Security Foundation and Authentication Configuration

[devin-ai-integration]

Summary

Implements Phase 3 (Security Baseline) by creating a new shared-libraries/ftgo-security library and adding Spring Security across the platform.

New ftgo-security-lib provides:

• FtgoBaseSecurityConfiguration: Bean-based SecurityFilterChain with stateless sessions, CSRF disabled, CORS from properties, HTTP Basic auth
• FtgoSecurityProperties: Externalized config under ftgo.security.* for CORS and public paths
• FtgoAuthenticationEntryPoint / FtgoAccessDeniedHandler: JSON 401/403 error responses
• SecurityExceptionHandlerFilter: Catches unexpected errors in the security filter chain
• SecurityUtils: Convenience methods for accessing the current security context
• Auto-configuration via META-INF/spring/...AutoConfiguration.imports

Version catalog changes (libs.versions.toml):

• spring-boot-starter-security added to spring-boot-service bundle (all services get it)
• spring-security-test added to testing bundle
• ftgo-security-lib added to shared libraries section

Credential externalization:

• ftgo-application/application.properties: DB credentials now use ${MYSQL_USERNAME} / ${MYSQL_PASSWORD} env vars
• ftgo-order-service test properties: same, with fallback defaults
• docker-compose.yml: credentials now require env vars (will fail without .env or exported vars)
• K8s ftgo-mysql-deployment.yml: credentials now read from ftgo-db-credentials Secret

32 tests pass in the security lib (integration + unit).

Updates since last revision

Resolved merge conflicts with feat/microservices-migration-v5, which had received observability infrastructure (Prometheus/Grafana), API gateway, new shared libraries (ftgo-common-jpa, ftgo-domain, ftgo-observability), and CI workflows since this branch was created.

Key merge decisions:

• Replaced base branch's flat-package security skeleton (net.chrisrichardson.ftgo.security.FtgoSecurityAutoConfiguration, SecurityExceptionHandler, SecurityUtils, FtgoSecurityProperties, FtgoAuthenticationEntryPoint) with this PR's more complete subpackaged implementation (config/, exception/, util/). The deleted files were a simpler scaffold added to the base branch by another PR.
• Kept all base branch additions: observability bundle, ftgo-common-jpa-lib, ftgo-domain-lib, micrometer, services:api-gateway, new CI workflows
• Updated build.gradle: added ftgo.testing-conventions plugin, jackson.databind dependency (used by JSON error handlers)
• Fixed CORS test: renamed defaultCorsAllowsAllOrigins() → corsOriginsAreConfigurable() since merged application.yml sets specific origins instead of wildcard *

Review & Testing Checklist for Human

• Deleted base-branch security skeleton replaced correctly: This PR removes 5 Java files from net.chrisrichardson.ftgo.security (flat package) that were added by another PR on the base branch, replacing them with subpackaged equivalents under config/, exception/, util/. Verify the replacement classes have equivalent or better functionality (e.g., @ConditionalOnProperty, @ConditionalOnWebApplication, @AutoConfiguration annotations). The AutoConfiguration.imports now points to FtgoBaseSecurityConfiguration instead of FtgoSecurityAutoConfiguration.
• Bundle change adds security to all services implicitly: spring-boot-starter-security was added to the spring-boot-service bundle. Any service using libs.bundles.spring.boot.service will now get Spring Security on its classpath with default auto-config (all endpoints locked, random password in logs), since no service yet declares a dependency on ftgo-security-lib. Verify this is the intended rollout strategy vs. having services opt-in explicitly.
• Missing password default in ftgo-application/application.properties: spring.datasource.password=${MYSQL_PASSWORD} has no fallback, unlike the order-service test props which use ${MYSQL_PASSWORD:mysqlpw}. This will fail at startup if the env var is unset. Confirm this is intentional or add a dev default.
• docker-compose.yml is now a breaking change for local dev: The ${MYSQL_ROOT_PASSWORD:?...} syntax requires env vars to be set. Anyone running docker-compose up without an .env file will get an error. Consider adding a sample .env.example or documenting the required vars.
• Dual test resource files: Both application.properties and application.yml exist in src/test/resources/ for the security lib. The .yml (from base branch) overrides CORS defaults from .properties, which already caused a test adjustment. Verify there are no other subtle override conflicts.
• Run full build: ./gradlew clean build test (excluding the pre-existing e2e eventuate-util-test failure) to confirm no regressions after the merge, especially in modules that now have Spring Security on the classpath.

Notes

• The e2e test modules (ftgo-end-to-end-tests, ftgo-end-to-end-tests-common) have a pre-existing dependency issue with eventuate-util-test — unrelated to this PR.
• FtgoAuthenticationEntryPoint and FtgoAccessDeniedHandler instantiate their own ObjectMapper rather than using the Spring-managed one. This is fine for error response bodies but won't include custom FTGO serializers (Money, DateTime).
• Services will need to add implementation project(":shared-libraries:ftgo-security") to their build.gradle in a follow-up to activate the custom FtgoBaseSecurityConfiguration (rather than Spring's defaults).

Link to Devin session: https://app.devin.ai/sessions/6bf87ff50ed64676aecff85ab2fbb569
Requested by: @mbatchelor81

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring