Add Authority Advisory AI and API Lifecycle Configuration

- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings.
- Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations.
- Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration.
- Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options.
- Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations.
- Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client.
- Updated project file to include necessary package references for the new Issuer Directory Client library.

etc/task-runner.yaml.sample

@@ -0,0 +1,69 @@
+# StellaOps Task Runner configuration template.
+# Copy to ../etc/task-runner.yaml (relative to the Task Runner content root)
+# and adjust values for your environment. Environment variables prefixed with
+# STELLAOPS_TASKRUNNER_ override these values at runtime.
+
+schemaVersion: 1
+
+telemetry:
+  enabled: true
+  serviceName: "stellaops-taskrunner"
+  exportConsole: true
+  minimumLogLevel: "Information"
+  otlpEndpoint: ""
+  resourceAttributes:
+    deployment.environment: "local"
+
+authority:
+  issuer: "https://authority.stella-ops.local"
+  metadataAddress: ""
+  requireHttpsMetadata: true
+  audiences:
+    - "api://task-runner"
+  # Client credentials used for executing packs. Provide either clientSecret or
+  # clientSecretFile (preferred for production).
+  runnerClient:
+    clientId: "task-runner"
+    clientSecret: ""
+    clientSecretFile: "../secrets/task-runner.secret"
+    scopes:
+      - "packs.run"
+      - "packs.read"
+  # Client used to approve gates when automation workflows sign off on runs.
+  approvalsClient:
+    clientId: "pack-approver"
+    clientSecret: ""
+    clientSecretFile: "../secrets/pack-approver.secret"
+    scopes:
+      - "packs.approve"
+      - "packs.read"
+  # Optional secondary client used for registry interactions (promote/deprecate).
+  registryClient:
+    clientId: "packs-registry"
+    clientSecret: ""
+    clientSecretFile: "../secrets/packs-registry.secret"
+    scopes:
+      - "packs.write"
+      - "packs.read"
+  # Tenant context required for all Task Runner operations.
+  tenant: "tenant-default"
+
+storage:
+  # Object storage bucket where run artifacts and evidence bundles are kept.
+  artifactsBucket: "s3://stellaops-taskrunner-artifacts"
+  # MongoDB stores run metadata and approval state; update connection string
+  # before deploying.
+  mongoConnectionString: "mongodb://taskrunner:taskrunner@mongo:27017/taskrunner?authSource=admin"
+
+approvals:
+  # Default timeout before pending approvals auto-expire.
+  defaultExpiresAfter: "04:00:00"
+  # Notifications topic emitted when approvals are requested/resolved.
+  notifyTopic: "pack.run.approvals"
+
+runner:
+  # Maximum concurrent steps Task Runner executes per worker.
+  maxParallelSteps: 8
+  # Allowlist of modules that can initiate network calls when sealed=false.
+  networkAllowlist:
+    - "*.internal.stella-ops.local"