fix: case-insensitive email auth and AI Gateway fallback

[datasciencemonkey]

Summary

Cherry-pick of #114 by @dgokeeffe, rebased onto current main (v0.17.0).

• Case-insensitive email auth: All email comparisons normalized to .lower() at ingestion points — fixes access denied when SSO X-Forwarded-Email header casing differs from stored owner email (e.g. RC.Guan@ vs rc.guan@)
• AI Gateway fallback: Auto-discovered gateway URLs are now probed for reachability (2s timeout GET). Workspaces without AI Gateway gracefully fall back to {DATABRICKS_HOST}/serving-endpoints/anthropic. Probe result cached in _GATEWAY_RESOLVED env var so setup subprocesses skip re-probing

Changes

File	What
app.py	.lower() in get_token_owner(), get_request_user(), WebSocket auth; resolve_and_cache_gateway() calls in run_setup() and _configure_all_cli_auth()
utils.py	_probe_gateway(), resolve_and_cache_gateway(), Tier 0 _GATEWAY_RESOLVED check in get_gateway_host()
tests/test_gateway_discovery.py	3 new Tier 0 cache tests, probe mocks on Tier 2 tests, _GATEWAY_RESOLVED in integration test env
pyproject.toml	Version bump to 0.17.1

Credit

All work in this PR is by David O'Keeffe (@dgokeeffe). Original PR: #114. Cherry-picked onto v0.17.0 main to resolve line-offset drift from #119.

Test plan

• pytest tests/test_gateway_discovery.py — 12 pass
• pytest tests/test_ws_authorization.py — 16 pass
• Full suite: 182 tests pass, zero failures
• Deploy to workspace without AI Gateway — verify fallback to serving-endpoints
• Verify user with mixed-case email can access their CODA instance

[datasciencemonkey]

Context note: While the code changes here are simple, this was a real blocker — CoDA couldn't deploy on workspaces without AI Gateway enabled. The gateway auto-discovery would construct a URL, never verify it was reachable, and all agent setup scripts would fail trying to hit a non-existent endpoint. David's probe + fallback pattern fixes this cleanly.