Add topology auth policies + journey findings notes

Concelier:
- Register Topology.Read, Topology.Manage, Topology.Admin authorization
  policies mapped to OrchRead/OrchOperate/PlatformContextRead/IntegrationWrite
  scopes. Previously these policies were referenced by endpoints but never
  registered, causing System.InvalidOperationException on every topology
  API call.

Gateway routes:
- Simplified targets/environments routes (removed specific sub-path routes,
  use catch-all patterns instead)
- Changed environments base route to JobEngine (where CRUD lives)
- Changed to ReverseProxy type for all topology routes

KNOWN ISSUE (not yet fixed):
- ReverseProxy routes don't forward the gateway's identity envelope to
  Concelier. The regions/targets/bindings endpoints return 401 because
  hasPrincipal=False — the gateway authenticates the user but doesn't
  pass the identity to the backend via ReverseProxy. Microservice routes
  use Valkey transport which includes envelope headers. Topology endpoints
  need either: (a) Valkey transport registration in Concelier, or
  (b) Concelier configured to accept raw bearer tokens on ReverseProxy paths.
  This is an architecture-level fix.

Journey findings collected so far:
- Integration wizard (Harbor + GitHub App): works end-to-end
- Advisory Check All: fixed (parallel individual checks)
- Mirror domain creation: works, generate-immediately fails silently
- Topology wizard Step 1 (Region): blocked by auth passthrough issue
- Topology wizard Step 2 (Environment): POST to JobEngine needs verify
- User ID resolution: raw hashes shown everywhere

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/MigrationRunner.cs

@@ -283,6 +283,16 @@ public sealed class MigrationRunner : IMigrationRunner
 
         try
         {
+            // Bind the search_path to the target module schema for this transaction.
+            // SET LOCAL scopes the change to the current transaction so that unqualified
+            // table names in migration SQL resolve to the module schema, not public.
+            var quotedSchemaLocal = QuoteIdentifier(SchemaName);
+            await using (var searchPathCommand = new NpgsqlCommand(
+                $"SET LOCAL search_path TO {quotedSchemaLocal}, public", connection, transaction))
+            {
+                await searchPathCommand.ExecuteNonQueryAsync(cancellationToken).ConfigureAwait(false);
+            }
+
             await using (var command = new NpgsqlCommand(migration.Content, connection, transaction))
             {
                 command.CommandTimeout = timeoutSeconds;

src/__Libraries/StellaOps.Infrastructure.Postgres/Migrations/StartupMigrationHost.cs

@@ -370,6 +370,15 @@ public abstract class StartupMigrationHost : IHostedService
 
         try
         {
+            // Bind the search_path to the target module schema for this transaction.
+            // SET LOCAL scopes the change to the current transaction so that unqualified
+            // table names in migration SQL resolve to the module schema, not public.
+            await using (var searchPathCommand = new NpgsqlCommand(
+                $"SET LOCAL search_path TO {quotedSchema}, public", connection, transaction))
+            {
+                await searchPathCommand.ExecuteNonQueryAsync(cancellationToken).ConfigureAwait(false);
+            }
+
             // Execute migration SQL
             await using (var migrationCommand = new NpgsqlCommand(migration.Content, connection, transaction))
             {