integrate sub2api as upstream for auth/keys/usage via FastAPI BFF

Preserve local user table for superDream-specific features while syncing
user lifecycle, API key CRUD and usage queries through sub2api. Admin token
handles reads and user lifecycle; per-user tokens (Fernet-encrypted in DB)
handle key writes that admin endpoints do not expose.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/config/settings.py

@@ -25,6 +25,15 @@ class Settings(BaseSettings):
     jwt_access_expire_minutes: int = 30
     jwt_refresh_expire_days: int = 7
 
+    # sub2api upstream
+    sub2api_base_url: str = "http://127.0.0.1:8080"
+    sub2api_admin_token: str = ""
+    sub2api_request_timeout: float = 10.0
+
+    # Fernet key (urlsafe base64, 44 chars). Generate with:
+    #   python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
+    token_encryption_key: str = ""
+
     @property
     def database_url(self) -> str:
         return (
@@ -32,6 +41,10 @@ class Settings(BaseSettings):
             f"@{self.db_host}:{self.db_port}/{self.db_name}"
         )
 
+    @property
+    def sub2api_api_prefix(self) -> str:
+        return self.sub2api_base_url.rstrip("/") + "/api/v1"
+
     class Config:
         env_file = ".env"
         env_prefix = "SD_"