feat: per-user Globus token submission for SLURM-level attribution

[Anas321]

Summary

• GlobusComputeClient.submit_streaming_inference() now accepts an optional globus_token parameter
• When provided, a short-lived Executor is created using AccessTokenAuthorizer so the SLURM job is submitted under the caller's own Globus identity, giving per-user attribution on the HPC cluster
• API-key callers are unaffected: the persistent executor (stored credentials) is used as before
• stream/proxy/app.py passes caller.globus_token through to the Globus client when Mode A (Globus Token Auth) is active

Motivation

The paper described per-user SLURM attribution as a feature of Mode A (Globus Token Auth), but the implementation was using the proxy's own stored credentials for all job submissions. This brings code and paper into alignment.

Notes

• First request from a new Globus user pays ~1.5 s AMQP setup cost; subsequent requests reuse channels
• Executor is shut down (non-blocking) after the future is submitted to avoid resource leaks
• No breaking changes: globus_token=None preserves prior behavior exactly

Test plan

• API-key caller: confirm gce = self._get_executor() path is taken (log shows no "caller-token executor" message)
• Globus token caller: confirm log shows "Using caller-token executor (per-user SLURM attribution, channel=...)" and SLURM job appears under caller's username

🤖 Generated with Claude Code