feat: add Auth0 WIF token script and update Dockerfile (refs #127)

- Create fetch-auth0-token.sh for Auth0 M2M -> GCP WIF token exchange
- Add jq to Dockerfile system dependencies
- Ensure script is executable in container image

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ocr/Dockerfile

@@ -1,8 +1,8 @@
 # Production Dockerfile for MotoVaultPro OCR Service
 # Uses mirrored base images from Gitea Package Registry
 #
-# Primary engine: PaddleOCR PP-OCRv4 (models baked into image)
-# Cloud fallback: Google Vision (optional, requires API key at runtime)
+# Primary engine: Google Vision via Auth0 WIF (monthly-capped)
+# Fallback engine: PaddleOCR PP-OCRv4 (models baked into image)
 
 # Build argument for registry (defaults to Gitea mirrors, falls back to Docker Hub)
 ARG REGISTRY_MIRRORS=git.motovaultpro.com/egullickson/mirrors
@@ -14,7 +14,8 @@ FROM ${REGISTRY_MIRRORS}/python:3.13-slim
 # - libheif1/libheif-dev: HEIF image support (iPhone photos)
 # - libglib2.0-0: GLib shared library (OpenCV dependency)
 # - libmagic1: File type detection
-# - curl: Health check endpoint
+# - curl: Health check endpoint + Auth0 token fetch
+# - jq: JSON parsing for Auth0 token script
 RUN apt-get update && apt-get install -y --no-install-recommends \
     libgomp1 \
     libheif1 \
@@ -22,6 +23,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libglib2.0-0 \
     libmagic1 \
     curl \
+    jq \
     && rm -rf /var/lib/apt/lists/*
 
 # Python dependencies
@@ -42,5 +44,8 @@ RUN python -c "from paddleocr import PaddleOCR; PaddleOCR(ocr_version='PP-OCRv4'
 
 COPY . .
 
+# Ensure Auth0 WIF token script is executable
+RUN chmod +x /app/scripts/fetch-auth0-token.sh
+
 EXPOSE 8000
 CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]