Add LDAP Distinguished Name Helper and Credential Audit Context

- Implemented LdapDistinguishedNameHelper for escaping RDN and filter values.
- Created AuthorityCredentialAuditContext and IAuthorityCredentialAuditContextAccessor for managing credential audit context.
- Developed StandardCredentialAuditLogger with tests for success, failure, and lockout events.
- Introduced AuthorityAuditSink for persisting audit records with structured logging.
- Added CryptoPro related classes for certificate resolution and signing operations.

docs/updates/2025-11-09-authority-ldap-plugin.md

@@ -0,0 +1,12 @@
+# 2025-11-09 — Authority LDAP Plug-in Readiness (PLG7.IMPL-005)
+
+## Summary
+- Added a dedicated LDAP quick-reference section to the Authority plug-in developer guide covering mutual TLS requirements, DN→role regex mappings, Mongo-backed claim caching, and the client-provisioning audit mirror.
+- Refreshed the sample manifest at `etc/authority.plugins/ldap.yaml` so operators see cache-enabled defaults, placeholder usage for regex mappings, and audit-mirror notes that match the implementation.
+- Documented that Offline Kits now ship the LDAP plug-in binaries plus the curated manifest, enabling air-gapped installs to drop the assets directly into `plugins/authority/**`.
+- Logged the shipment in release notes so Security/Docs guilds can reference the change and testers can align their smoke runs.
+
+## Impact
+- Documentation now tells operators exactly how to enable mutual TLS, configure regex mappings, and size caches/audit mirrors before turning the plug-in on.
+- Offline Kit consumers understand that LDAP plug-in artefacts are part of the bundle and no longer have to copy manifests manually across environments.
+- Sprint 100 tracker reflects PLG7.IMPL-005 as DONE, unblocking Authority/Docs sign-off for the LDAP plug-in workstream.