Add Authority Advisory AI and API Lifecycle Configuration

- Introduced AuthorityAdvisoryAiOptions and related classes for managing advisory AI configurations, including remote inference options and tenant-specific settings.
- Added AuthorityApiLifecycleOptions to control API lifecycle settings, including legacy OAuth endpoint configurations.
- Implemented validation and normalization methods for both advisory AI and API lifecycle options to ensure proper configuration.
- Created AuthorityNotificationsOptions and its related classes for managing notification settings, including ack tokens, webhooks, and escalation options.
- Developed IssuerDirectoryClient and related models for interacting with the issuer directory service, including caching mechanisms and HTTP client configurations.
- Added support for dependency injection through ServiceCollectionExtensions for the Issuer Directory Client.
- Updated project file to include necessary package references for the new Issuer Directory Client library.

src/Scanner/__Libraries/StellaOps.Scanner.Surface.Secrets/ServiceCollectionExtensions.cs

@@ -0,0 +1,66 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using StellaOps.Scanner.Surface.Env;
+using StellaOps.Scanner.Surface.Secrets.Providers;
+
+namespace StellaOps.Scanner.Surface.Secrets;
+
+public static class ServiceCollectionExtensions
+{
+    public static IServiceCollection AddSurfaceSecrets(
+        this IServiceCollection services,
+        Action<SurfaceSecretsOptions>? configure = null)
+    {
+        if (services is null)
+        {
+            throw new ArgumentNullException(nameof(services));
+        }
+
+        services.AddOptions<SurfaceSecretsOptions>();
+        if (configure is not null)
+        {
+            services.Configure(configure);
+        }
+
+        services.TryAddSingleton<ISurfaceSecretProvider>(sp =>
+        {
+            var env = sp.GetRequiredService<ISurfaceEnvironment>();
+            var options = sp.GetRequiredService<IOptions<SurfaceSecretsOptions>>().Value;
+            var logger = sp.GetRequiredService<ILoggerFactory>().CreateLogger("SurfaceSecrets");
+            return CreateProvider(env.Settings.Secrets, logger);
+        });
+
+        return services;
+    }
+
+    private static ISurfaceSecretProvider CreateProvider(SurfaceSecretsConfiguration configuration, ILogger logger)
+    {
+        var providers = new List<ISurfaceSecretProvider>();
+
+        switch (configuration.Provider.ToLowerInvariant())
+        {
+            case "kubernetes":
+                providers.Add(new KubernetesSurfaceSecretProvider(configuration, logger));
+                break;
+            case "file":
+                providers.Add(new FileSurfaceSecretProvider(configuration.Root ?? throw new ArgumentException("Secrets root is required for file provider.")));
+                break;
+            case "inline":
+                providers.Add(new InlineSurfaceSecretProvider(configuration));
+                break;
+            default:
+                logger.LogWarning("Unknown surface secret provider '{Provider}'. Falling back to inline provider.", configuration.Provider);
+                providers.Add(new InlineSurfaceSecretProvider(configuration));
+                break;
+        }
+
+        if (!string.IsNullOrWhiteSpace(configuration.FallbackProvider))
+        {
+            providers.Add(new InlineSurfaceSecretProvider(configuration with { Provider = configuration.FallbackProvider }));
+        }
+
+        return providers.Count == 1 ? providers[0] : new CompositeSurfaceSecretProvider(providers);
+    }
+}