feat(integrations): secret authority service for UI-driven secret staging

Add SecretAuthorityService + endpoints so the setup wizard and
integrations hub can stage secret bundles and bind authref URIs
directly from the UI, instead of requiring out-of-band Vault seeding.
Wire the new service behind IntegrationPolicies, expose
SecretAuthorityDtos on the contracts library, and register an
UpsertSecretBundle audit action for the emission library.

Closes BOOTSTRAP-006 from SPRINT_20260413_004.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/Integrations/StellaOps.Integrations.WebService/Program.cs

@@ -118,6 +118,7 @@ builder.Services.AddScoped<IAuthRefResolver, VaultAuthRefResolver>();
 
 // Core service
 builder.Services.AddScoped<IntegrationService>();
+builder.Services.AddScoped<SecretAuthorityService>();
 builder.Services.AddSingleton<IAiCodeGuardPipelineConfigLoader, AiCodeGuardPipelineConfigLoader>();
 builder.Services.AddScoped<IAiCodeGuardRunService, AiCodeGuardRunService>();
 
@@ -132,6 +133,8 @@ builder.Services.AddAuthorization(options =>
     options.AddStellaOpsScopePolicy(IntegrationPolicies.Read, StellaOpsScopes.IntegrationRead);
     options.AddStellaOpsScopePolicy(IntegrationPolicies.Write, StellaOpsScopes.IntegrationWrite);
     options.AddStellaOpsScopePolicy(IntegrationPolicies.Operate, StellaOpsScopes.IntegrationOperate);
+    options.AddStellaOpsScopePolicy(IntegrationPolicies.SecretAuthorityRead, StellaOpsScopes.IntegrationRead);
+    options.AddStellaOpsScopePolicy(IntegrationPolicies.SecretAuthorityWrite, StellaOpsScopes.IntegrationWrite);
 });
 
 // Unified audit emission (posts audit events to Timeline service)
@@ -165,6 +168,7 @@ app.TryUseStellaRouter(routerEnabled);
 
 // Map endpoints
 app.MapIntegrationEndpoints();
+app.MapSecretAuthorityEndpoints();
 
 // Health endpoint
 app.MapGet("/health", () => Results.Ok(new { Status = "Healthy", Timestamp = DateTimeOffset.UtcNow }))