Add credential system for external platform authentication

[Irozuku]

Summary

Adds an extensible authentication system for external platforms, driven by the backend. A new BaseCredential component type lets the app authenticate against HuggingFace and Kaggle, persists keys encrypted at rest, and exposes them through a REST API and a global "Credentials" manager modal. Components can now declare REQUIRED_CREDENTIALS / OPTIONAL_CREDENTIALS; the registry tracks a credentials_satisfied flag per component and the frontend reflects availability (locked and disabled cards when a required credential is missing, a key hint for optional ones). StableDiffusionV3 now requires a HuggingFace credential instead of a dedicated key field, and the HuggingFace dataset source uses it optionally.

---

Type of Change

• Backend change
• Frontend change
• CI / Workflow change
• Build / Packaging change
• Bug fix
• Documentation

---

Changes (by file)

Credentials core (backend)

• DashAI/back/credentials/base_credential.py: BaseCredential ABC (TYPE="Credential"); abstract verify() with shared concrete auth(), get_key(), is_authenticated(), apply().
• DashAI/back/credentials/huggingface_credential.py, kaggle_credential.py, github_credential.py: platform implementations (HuggingFace via huggingface_hub, Kaggle via the official kaggle library with an env guard so it does not exit on import, GitHub via the official REST API).
• DashAI/back/credentials/encryptor.py: Fernet encryption plus key bootstrap (env var or a key file).
• DashAI/back/credentials/store.py: CredentialStore, the single boundary for the DB and encryption.
• DashAI/back/credentials/sync.py: refreshes the credentials_satisfied flags from stored statuses.

Registry and wiring (backend)

• DashAI/back/dependencies/registry/relationship_manager.py: relations are now typed (compatible_components, required_credentials, optional_credentials) using a nested dict.
• DashAI/back/dependencies/registry/component_registry.py: registers credential relations, exposes required_credentials / optional_credentials and credentials_satisfied, and adds refresh_credentials_status.
• DashAI/back/config_object.py: get_credential(name) helper available to any component.
• DashAI/back/container.py, config.py, dependencies/config_builder.py: build the encryptor and store and resolve the key path.
• DashAI/back/initial_components.py: register the three credential components.
• DashAI/back/api/api_v1/endpoints/plugins.py: sync credential flags on plugin install.

Persistence (backend)

• DashAI/back/dependencies/database/models.py and alembic/.../d4e8a2c6f0b1_add_credential_table.py: new credential table (encrypted key, verified flag).

API (backend)

• DashAI/back/api/api_v1/endpoints/credentials.py and api.py: GET /credential/, GET /credential/{name}, POST /credential/{name}/auth, DELETE /credential/{name}.

Component auth (backend)

• DashAI/back/models/hugging_face/stable_diffusion_v3_model.py: declares REQUIRED_CREDENTIALS=["HuggingFaceCredential"], removes the huggingface_key schema field, and logs in via get_credential().apply().
• DashAI/back/dataset_sources/huggingface_dataset_source.py: declares OPTIONAL_CREDENTIALS=["HuggingFaceCredential"].

Frontend

• api/credentials.ts, types/credential.ts, types/component.ts: credential client and types; the component type gains the credential fields.
• components/credentials/CredentialsDialog.jsx, CredentialsButton.jsx, ResponsiveAppBar.jsx: global Credentials manager (gear button) with verify and remove, key shown (masked by default with a reveal toggle).
• components/custom/ComponentSelector.jsx: lock icon and disabled card when a required credential is missing; key icon for optional credentials.
• hooks/useComponentAvailability.js: availability helper.
• utils/i18n/index.js and locales/{en,es,pt,de,zh}/credentials.json: translations.

Packaging

• requirements.txt: add cryptography and kaggle.

---

Testing

• Backend suite passes (pytest tests/back). New coverage under tests/back/credentials/ (encryptor, store, base and concrete credentials, get_credential), tests/back/registries/ (typed relations, credential tracking), and tests/back/api/test_credentials_api.py.
• Frontend was not unit tested for these changes; verify the Credentials modal (authenticate and remove) and that StableDiffusionV3 shows as locked and disabled until HuggingFace is authenticated.

---

Notes

• Keys are encrypted at rest (Fernet); the secret comes from DASHAI_CREDENTIALS_SECRET or an auto generated ~/.DashAI/.credentials_key.
• The stored key is returned by the credential API so the modal can display it, an intentional trade off for DashAI's local first, single user desktop model.
• Credential status refreshes on user actions (authenticate or remove in the modal, plugin install), not at app startup; after a restart a gated component reads as locked until the credential is verified again in the modal.
• Per credential auth state for optional credentials is not yet reflected on component cards (the card only knows credentials_satisfied, which covers required credentials only), a candidate follow up.
• The GitHub credential (github_credential.py) is implemented and tested but not registered in initial_components.py, so it does not appear in the Credentials modal. Re list it there to enable it.