feat(mcp_server): add --password option to ensure_service_user command

mnemosyne/mcp_server/management/commands/ensure_service_user.py

@@ -18,19 +18,27 @@ class Command(BaseCommand):
     def add_arguments(self, parser):
         parser.add_argument("--username", default="daedalus-service")
         parser.add_argument("--email", default="daedalus-service@local")
+        parser.add_argument(
+            "--password",
+            default=None,
+            help=(
+                "Password for HTTP Basic auth (Daedalus REST calls). "
+                "Omit to set a random unusable password (JWT-only mode)."
+            ),
+        )
 
     def handle(self, *args, **options):
         User = get_user_model()
         username = options["username"]
         email = options["email"]
+        password = options["password"] or secrets.token_urlsafe(32)
 
         user, created = User.objects.get_or_create(
             username=username,
             defaults={"email": email, "is_active": True},
         )
         if created:
-            # Set a random password the user cannot log in with via the UI.
-            user.set_password(secrets.token_urlsafe(32))
+            user.set_password(password)
             user.save(update_fields=["password"])
             self.stdout.write(self.style.SUCCESS(f"Created service user {username!r}"))
         else:
@@ -41,8 +49,11 @@ class Command(BaseCommand):
             if user.email != email:
                 user.email = email
                 changed = True
+            if options["password"]:
+                user.set_password(password)
+                changed = True
             if changed:
-                user.save(update_fields=["is_active", "email"])
+                user.save(update_fields=["is_active", "email", "password"])
                 self.stdout.write(self.style.SUCCESS(f"Updated service user {username!r}"))
             else:
                 self.stdout.write(f"Service user {username!r} already provisioned")