feat: add tls and api key authentication support

[vieiralucas]

Summary

Add TLS and API key authentication support to the Python SDK, achieving feature parity with the Rust SDK (Epic 15).

• ca_cert, client_cert, client_key params for TLS/mTLS on both sync and async clients
• api_key param for Bearer token auth on every RPC
• Full interceptor implementations for both sync (grpc.intercept_channel) and async (grpc.aio interceptors)
• Backward compatible: no auth options = same behavior as before

Test plan

• Integration tests pass with TLS-enabled fila-server
• API key auth test validates both success and rejection
• Both sync and async client paths tested

🤖 Generated with Claude Code

---

Summary by cubic

Adds TLS/mTLS and API key auth to the Python SDK (sync and async), including a tls=True option to use the system trust store. Extends the admin API with API key and ACL management; behavior is unchanged when no TLS/auth options are set.

• New Features

  • Client and AsyncClient support tls=True (system trust store) and ca_cert, client_cert, client_key for TLS/mTLS (ca_cert implies TLS).
  • api_key adds authorization: Bearer <key> on all RPCs via interceptors (sync and async).
  • Admin proto: CreateApiKey, RevokeApiKey, ListApiKeys, SetAcl, GetAcl; cluster fields added to GetStatsResponse, QueueInfo, ListQueuesResponse. README and tests updated for TLS/mTLS, system trust store, and API key (sync + async).

• Bug Fixes

  • Use concrete ClientCallDetails for sync; async uses a concrete _AsyncClientCallDetails.__new__ matching the 5-field namedtuple.
  • Validate TLS params: raise ValueError if client_cert/client_key provided without TLS.
  • Close gRPC channels in fixture retry loops; auth probe test fails on unexpected RPC codes and skips only when auth isn’t enforced.

^{Written for commit 8360d5f. Summary will update on new commits.}

[cubic-dev-ai]

3 issues found across 9 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="fila/client.py">

<violation number="1" location="fila/client.py:112">
P1: `client_cert`/`client_key` are silently ignored when `ca_cert` is not provided, falling through to an insecure channel. A user who forgets `ca_cert` gets a plaintext connection with no indication that their mTLS credentials were discarded. Raise a `ValueError` when client credentials are supplied without a CA certificate.</violation>
</file>

<file name="tests/conftest.py">

<violation number="1" location="tests/conftest.py:257">
P2: Close the gRPC channel in the retry loop even when `ListQueues` fails; currently the error path leaks channels during readiness polling.</violation>
</file>

<file name="fila/async_client.py">

<violation number="1" location="fila/async_client.py:44">
P2: Missing `compression` field when reconstructing `ClientCallDetails`. The sync interceptor in `client.py` correctly forwards `client_call_details.compression`, but the async interceptor drops it. This silently resets per-RPC compression settings to `None` for any call passing through the interceptor.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

1 issue found across 3 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="tests/test_client.py">

<violation number="1" location="tests/test_client.py:217">
P2: Do not skip the test for unexpected RPC errors; this masks real failures. Only skip for the specific non-enforcement case and fail otherwise.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}