feat: Lakebase deployment, auth improvements, and PBI model routing

[MrBlack1995]

Summary

• Lakebase deployment docs: Added src/docs/lakebase-deployment.md — full guide covering SQLite quick-start (no Lakebase) and production Lakebase setup with Databricks Secrets, what to change in src/app.yaml before deploying to a new workspace, PAT→OAuth token exchange flow, and credential rotation
• Auth: X-forward authentication improvements
• PBI model routing: Support for alternative routes for model fetching outside Fabric

Changes

• src/docs/lakebase-deployment.md — new deployment guide (SQLite + Lakebase paths)
• src/app.yaml — Lakebase PostgreSQL configuration with Databricks Secrets
• src/backend/src/config/settings.py — settings updates
• src/backend/src/db/session.py — automatic PAT→OAuth token refresh on every connection
• src/entrypoint.py — --db-type flag and token exchange on startup

Test plan

• Deploy with SQLite: python3 src/deploy.py --app-name kasal-dev --user-name <email> — verify app starts with no DB env vars
• Deploy with Lakebase: follow src/docs/lakebase-deployment.md steps, verify data persists across restarts
• Verify PAT→OAuth exchange on startup (check logs for token refresh)
• Verify OAuth token auto-refresh after ~1 hour

🤖 Generated with Claude Code

[gitguardian]

️✅ There are no secrets present in this pull request anymore.

If these secrets were true positive and are still valid, we highly recommend you to revoke them.
While these secrets were previously flagged, we no longer have a reference to the
specific commits where they were detected. Once a secret has been leaked into a git
repository, you should consider it compromised, even if it was deleted immediately.
Find here more information about risks.

---

^{_{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}}