feat(insta-lab): verify_internal_key auth for Windows webhook (SP-4)

X-Internal-Key 헤더 검증 dependency. .env의 INTERNAL_API_KEY와 비교.
미설정 시 401 (fail-safe). Plan-B-Insta Phase 1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

insta-lab/app/auth.py

@@ -0,0 +1,17 @@
+"""SP-4 — Windows worker → NAS internal webhook 인증.
+
+X-Internal-Key 헤더를 .env의 INTERNAL_API_KEY와 비교.
+서버 측 키 미설정 시 401 (안전한 기본값).
+"""
+from __future__ import annotations
+
+import os
+from fastapi import Header, HTTPException
+
+
+def verify_internal_key(x_internal_key: str = Header(...)):
+    expected = os.getenv("INTERNAL_API_KEY")
+    if not expected:
+        raise HTTPException(401, "INTERNAL_API_KEY not configured on server")
+    if x_internal_key != expected:
+        raise HTTPException(401, "Invalid X-Internal-Key")

insta-lab/tests/test_auth.py

@@ -0,0 +1,25 @@
+"""verify_internal_key dependency — Windows webhook 인증."""
+import os
+import pytest
+from fastapi import HTTPException
+from app.auth import verify_internal_key
+
+
+def test_valid_key_passes(monkeypatch):
+    monkeypatch.setenv("INTERNAL_API_KEY", "secret123")
+    # dependency가 raise 안 하면 통과
+    verify_internal_key(x_internal_key="secret123")
+
+
+def test_invalid_key_raises_401(monkeypatch):
+    monkeypatch.setenv("INTERNAL_API_KEY", "secret123")
+    with pytest.raises(HTTPException) as exc:
+        verify_internal_key(x_internal_key="wrong")
+    assert exc.value.status_code == 401
+
+
+def test_missing_env_key_raises_401(monkeypatch):
+    monkeypatch.delenv("INTERNAL_API_KEY", raising=False)
+    with pytest.raises(HTTPException) as exc:
+        verify_internal_key(x_internal_key="any")
+    assert exc.value.status_code == 401