stela ops usage fixes roles propagation and timoeut, one account to support multi tenants, migrations consolidation, search to support documentation, doctor and open api vector db search

docs/modules/gateway/openapi.md

@@ -175,20 +175,39 @@ Each endpoint with claims gets a security requirement:
 ```csharp
 public static JsonArray GenerateSecurityRequirement(EndpointDescriptor endpoint)
 {
-    if (endpoint.RequiringClaims.Count == 0)
-        return new JsonArray(); // No security required
+    if (endpoint.AllowAnonymous)
+        return new JsonArray(); // Anonymous endpoint
+
+    if (!endpoint.RequiresAuthentication && endpoint.RequiringClaims.Count == 0)
+        return new JsonArray(); // No auth semantics published
 
     return new JsonArray
     {
         new JsonObject
         {
             ["BearerAuth"] = new JsonArray(),
-            ["OAuth2"] = new JsonArray(claims.Select(c => c.Type))
+            ["OAuth2"] = new JsonArray(scopes.Select(scope => scope))
         }
     };
 }
 ```
 
+### Router-specific OpenAPI extensions
+
+Gateway now emits Router-specific extensions on each operation:
+
+- `x-stellaops-gateway-auth`: effective authorization semantics projected from endpoint metadata.
+  - `allowAnonymous`
+  - `requiresAuthentication`
+  - `source` (`None`, `AspNetMetadata`, `YamlOverride`, `Hybrid`)
+  - optional `policies`, `roles`, `claimRequirements`
+- `x-stellaops-timeout`: timeout semantics used by gateway dispatch.
+  - `effectiveSeconds`
+  - `source` (`endpoint`, `gatewayRouteDefault`, and capped variants)
+  - `endpointSeconds`, `gatewayRouteDefaultSeconds`, `gatewayGlobalCapSeconds` when available
+  - precedence list: endpoint override -> service default -> gateway route default -> gateway global cap
+- `x-stellaops-timeout-seconds`: backward-compatible scalar alias for `effectiveSeconds`.
+
 ---
 
 ## Configuration Reference