[codex] Improve Azure e2e auth discovery

[MiguelElGallo]

Summary

• Add shared azd environment discovery for Azure-backed DuckLake and JDBC e2e tests.
• Add PostgreSQL firewall helper and clearer diagnostics for local Azure e2e runs.
• Enforce auth when a server password is configured, add live Container App auth checks, and document the tracked ADBC Basic xfail.
• Wire a stable LAKEHOUSE_SECRET_KEY through Bicep, Key Vault, and Container App configuration.

Validation

• uv run ruff check .
• uv run ty check src/lakehouse/
• uv run pytest -q (594 passed, 2 skipped)
• LAKEHOUSE_LIVE_BACKEND=1 uv run pytest -q tests/test_live_azure_backend.py (1 passed, 1 skipped)
• LAKEHOUSE_LIVE_BACKEND=1 LAKEHOUSE_LIVE_BACKEND_ADBC_BASIC=1 uv run pytest -q tests/test_live_azure_backend.py (1 passed, 1 xfailed)

[Copilot]

Pull request overview

Improves Azure-backed end-to-end test ergonomics and deployed backend auth by centralizing local azd environment discovery, enforcing auth when configured, and wiring a stable signing key through the Azure deployment.

Changes:

• Add lakehouse._azd_env helpers + tests to resolve DuckLake/Container App settings from explicit env vars or local .azure/<env>/.env / azd env get-values.
• Enforce “auth required” behavior when a server password is configured (middleware + new/updated tests), plus add opt-in “live Azure backend” smoke tests.
• Plumb LAKEHOUSE_SECRET_KEY through Bicep/Key Vault/Container App configuration and document live test usage.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
tests/test_main.py	Adds a server-level auth regression test for missing credentials.
tests/test_live_azure_backend.py	New opt-in tests that query the deployed Container App and validate bearer auth path.
tests/test_jdbc.py	Uses shared DuckLake env/azd discovery and adds clearer failure diagnostics for DuckLake init.
tests/test_e2e_ducklake.py	Uses shared DuckLake env/azd discovery and adds clearer failure diagnostics for DuckLake init.
tests/test_e2e.py	Adds “missing auth rejected” e2e test and tightens wrong-password assertion.
tests/test_azd_env.py	New unit tests for azd env parsing/resolution helpers and firewall hint messaging.
tests/test_auth.py	Adds coverage for the new required-auth middleware factory.
tests/jdbc/run_local_jdbc_tests.py	Uses shared DuckLake env/azd discovery and improves local failure hints.
src/lakehouse/auth.py	Introduces RequiredAuthServerMiddlewareFactory to reject requests without supported auth.
src/lakehouse/_azd_env.py	New module to parse/load azd environment outputs and resolve non-secret values for tests/tools.
src/lakehouse/main.py	Wires required-auth middleware into the server when password auth is enabled.
scripts/allow-current-ip-postgres.sh	New helper script to add/update a PostgreSQL Flexible Server firewall rule for the current public IP.
infra/modules/keyvault.bicep	Adds Key Vault secret for lakehouse-secret-key and outputs its secret URI.
infra/modules/container-app.bicep	Passes the secret key into the Container App as LAKEHOUSE_SECRET_KEY via Key Vault reference.
infra/main.parameters.json	Adds parameter wiring for lakehouseSecretKey from ${LAKEHOUSE_SECRET_KEY}.
infra/main.json	Regenerates ARM template to include the new secret key parameter/secret wiring.
infra/main.bicep	Adds secure parameter lakehouseSecretKey and forwards it to Key Vault + Container App modules.
README.md	Documents LAKEHOUSE_SECRET_KEY setup and the new opt-in live backend test commands/semantics.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.