Add Authority Advisory AI and API Lifecycle Configuration

- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings.
- Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations.
- Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration.
- Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options.
- Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations.
- Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client.
- Updated project file to include necessary package references for the new Issuer Directory Client library.

docs/dev/32_AUTH_CLIENT_GUIDE.md

@@ -81,11 +81,38 @@ CLI and Concelier teams should expose these knobs once they adopt the auth clien
 3. **Observability:** watch for `StellaOps.Auth.Client.HttpRetry` warnings in your logs. Excessive retries mean the upstream Authority cluster needs attention.
 4. **Determinism:** keep retry delays deterministic. Avoid random jitter—operators can introduce jitter at the infrastructure layer if desired.
 
-## 5. Rollout checklist
-
-- [ ] Update consuming service/CLI configuration schema to include the new settings.
-- [ ] Document recommended defaults for offline (air-gapped) versus connected deployments.
-- [ ] Extend smoke tests to cover Authority outage scenarios.
-- [ ] Coordinate with Docs Guild so user-facing quickstarts reference the new knobs.
-
-Once Concelier and CLI integrate these changes, we can mark LIB5 **DONE**; further packaging work is deferred until the backlog reintroduces it.
+## 5. Rollout checklist
+
+- [ ] Update consuming service/CLI configuration schema to include the new settings.
+- [ ] Document recommended defaults for offline (air-gapped) versus connected deployments.
+- [ ] Extend smoke tests to cover Authority outage scenarios.
+- [ ] Coordinate with Docs Guild so user-facing quickstarts reference the new knobs.
+
+Once Concelier and CLI integrate these changes, we can mark LIB5 **DONE**; further packaging work is deferred until the backlog reintroduces it.
+
+## 6. Authenticating downstream API clients
+
+`StellaOps.Auth.Client` now ships a DI helper for wiring authenticated `HttpClient` instances:
+
+```csharp
+services.AddHttpClient(\"notify\", client =>
+    {
+        client.BaseAddress = new Uri(configuration[\"StellaOps:Notify:BaseUrl\"]!);
+    })
+    .AddStellaOpsApiAuthentication(options =>
+    {
+        options.Mode = StellaOpsApiAuthMode.ClientCredentials;
+        options.Scope = \"notify.read notify.admin\";
+        options.Tenant = configuration[\"StellaOps:Tenant\"]!;
+        // To use a PAT instead, set options.Mode = StellaOpsApiAuthMode.PersonalAccessToken
+        // and supply options.PersonalAccessToken = configuration[\"StellaOps:Notify:Pat\"].
+    });
+```
+
+The handler automatically:
+
+- Requests OAuth access tokens (password or client credentials) via `IStellaOpsTokenClient`, or attaches a pre-issued personal access token.
+- Refreshes tokens ahead of expiry using the larger of the handler refresh buffer (`options.RefreshBuffer`) and `StellaOpsAuthClientOptions.ExpirationSkew`.
+- Injects the tenancy header (`X-StellaOps-Tenant` by default) when `options.Tenant` is supplied; the header name is configurable via `options.TenantHeader`.
+
+This keeps downstream API calls consistent with the platform’s multi-tenant requirements while avoiding handwritten plumbing in each service.