Feat cern mattermost support

[hassan11196]

Mattermost RBAC Authentication

Summary

• Mattermost now supports two auth modes: a static config-based allowlist
  (token_store: config) and an SSO-backed DB mode (token_store: db) where
  roles are pulled from CERN JWT tokens and stored in PostgreSQL
• ContextVar-based user context (MattermostUserContext) propagates
  Mattermost user identity through the full call stack, including into agent
  tool permission checks — no Flask session required
• SSO login flow lives entirely in the Mattermost service Flask app
  (/mattermost-auth + /mattermost-auth/callback), keeping app.py unchanged
• Silent role refresh every 24h using the stored refresh token; full
  re-login only required after session expiry (default 30 days)
• mattermost:access permission gates Mattermost bot access independently
  of chat:query, so base-user (web chat) and Mattermost access can be
  controlled separately
• Bug fix: RemoteCatalogClient.__init__ was missing retry_attempts and
  retry_backoff_seconds parameters and import time

Files changed

File	Change
src/utils/rbac/mattermost_context.py	New — ContextVar-based per-request user context
src/utils/mattermost_auth.py	New — MattermostAuthManager: config mode and db mode
src/utils/mattermost_token_service.py	New — DB-backed SSO token store with silent role refresh
src/interfaces/mattermost.py	Auth integration for webhook and polling modes; SSO OAuth routes
src/archi/pipelines/agents/tools/base.py	Tool permission checks read Mattermost context before Flask session
src/utils/rbac/permission_enum.py	Added Permission.Mattermost.ACCESS
src/cli/templates/init.sql	Added mattermost_tokens table
src/cli/templates/base-config.yaml	Added services.mattermost.auth config block
src/archi/pipelines/agents/tools/local_files.py	Bug fix: missing params and import time
docs/docs/services.md	Full Mattermost auth documentation