CI: run the API auth/permission test suite on every PR (compose-based job)

[aaronsb]

ADR-401 item 5 · Audit: docs/security/security-consistency-audit-2026-06-09.md (F7)

~2,000 lines of auth/permission tests exist — tests/api/test_endpoint_security.py, test_job_permissions.py, test_auth_dependencies.py, test_oauth_utils.py, plus eight test_*_auth.py files — but no workflow executes them. They only run when a developer remembers make test against a local kg-api-dev container. This is the single largest exists-but-unwired enforcement gap.

Acceptance criteria

• GitHub Actions job standing up Postgres + Apache AGE (service containers or docker compose up in the runner) and running at least the security-marked / auth-focused subset of tests/api/ on PRs to main
• Job is required (blocking), not informational
• Runtime kept reasonable (subset selection or parallelization is fine; full suite can stay local/nightly)