feat(api): M4.2 — full REST surface + pgx-backed Postgres store

Replaces the M5.1-skeleton handler set with the M4.2 spec from
IMPLEMENTATION_PLAN.md:

Endpoints (authoritative shape in openapi.yaml):
  POST   /v1/tenants
  GET    /v1/tenants/{id}
  GET    /v1/tenants/by-slug/{slug}
  POST   /v1/tenants/{id}/activate
  POST   /v1/tenants/{id}/cancel
  GET    /v1/entitlements?tenant_id=...
  GET    /v1/catalog
  POST   /v1/catalog/request
  POST   /v1/catalog/trial-request
  POST   /v1/api-keys                       returns plaintext ONCE
  GET    /v1/api-keys?tenant_id=...
  DELETE /v1/api-keys/{id}
  POST   /v1/internal/api-keys/verify       always 200; valid: bool
  POST   /v1/audit
  GET    /v1/audit?{tenant_id,product,actor_id,action,since,until,limit,cursor}

Architecture:
  internal/store/store.go        Store interface (CRUD + audit + ping)
  internal/store/memory.go       in-process impl, used when DATABASE_URL
                                 is empty (seed acme tenant, no migrations)
  internal/store/postgres.go     pgxpool impl against the M4.1 schema
  internal/server/server.go      router + healthz/readyz
  internal/server/{tenants,catalog,apikeys,audit}.go
                                 per-concern handlers (≤250 LoC each)
  internal/server/helpers.go     writeJSON/writeError/error mapping/log mw
  openapi.yaml                   3.1 spec; openapi_test.go is the contract gate

API keys:
  Plaintext format 'bp_<22-char base64>'. Prefix bp_<8> stored for UI.
  Hash is argon2id(salt, time=1, mem=64MB, threads=4, len=32) encoded as
  'argon2id|<salt-b64>|<hash-b64>'. Format-tagged so we can rotate
  parameters without re-keying. Verify is constant-time.

Store selection:
  cmd/server picks Postgres when DATABASE_URL is set, otherwise Memory.
  Both implementations are exercised by the same eachStore test harness —
  parity is enforced.

Audit:
  Every state-changing endpoint emits via s.emitAudit() (fire-and-forget).
  audit_log uses ON DELETE SET NULL on tenant_id so forensic history
  outlives tenant deletes (per M4.1 schema).

Routing constraint:
  Go 1.22 ServeMux can't disambiguate /v1/tenants/{id}/products from
  /v1/tenants/by-slug/{slug=products}. Per-tenant subresources moved to
  query-param top-level paths: /v1/entitlements?tenant_id=… and
  /v1/api-keys?tenant_id=….

Tests:
  Every endpoint exercised against both Memory and Postgres via the
  eachStore harness. Includes happy paths, validation errors, conflicts,
  404s, auto-audit-emit assertion. testcontainers-go for the postgres
  harness; gated by -short.

  TestOpenAPISpec is the contract gate: every documented operation must
  resolve against the router. (kin-openapi v0.138.0.)

Refs: M4.2

internal/server/server_test.go

@@ -1,73 +1,179 @@
-package server
+package server_test
 
 import (
+	"bytes"
+	"context"
+	"database/sql"
 	"encoding/json"
+	"fmt"
 	"io"
 	"log/slog"
 	"net/http"
 	"net/http/httptest"
 	"os"
 	"testing"
+	"time"
+
+	"github.com/golang-migrate/migrate/v4"
+	migpg "github.com/golang-migrate/migrate/v4/database/postgres"
+	"github.com/golang-migrate/migrate/v4/source/iofs"
+	_ "github.com/jackc/pgx/v5/stdlib"
+	tcpostgres "github.com/testcontainers/testcontainers-go/modules/postgres"
 
 	"gitea.meghsakha.com/platform/tenant-registry/internal/config"
+	"gitea.meghsakha.com/platform/tenant-registry/internal/server"
+	"gitea.meghsakha.com/platform/tenant-registry/internal/store"
+	"gitea.meghsakha.com/platform/tenant-registry/migrations"
 )
 
-func newTestServer(t *testing.T) *httptest.Server {
+// ─── harness ──────────────────────────────────────────────────────────────
+
+type testHarness struct {
+	t      *testing.T
+	srv    *httptest.Server
+	store  store.Store
+	tenant *store.Tenant // pre-created acme tenant
+}
+
+func (h *testHarness) Close() {
+	h.srv.Close()
+	h.store.Close()
+}
+
+// every test runs against both stores so we know they're equivalent.
+func eachStore(t *testing.T, run func(*testing.T, *testHarness)) {
+	t.Run("memory", func(t *testing.T) {
+		h := newMemoryHarness(t)
+		defer h.Close()
+		run(t, h)
+	})
+	t.Run("postgres", func(t *testing.T) {
+		if testing.Short() {
+			t.Skip("skipping postgres harness under -short")
+		}
+		h := newPostgresHarness(t)
+		defer h.Close()
+		run(t, h)
+	})
+}
+
+func newMemoryHarness(t *testing.T) *testHarness {
 	t.Helper()
-	cfg := &config.Config{Env: "dev", Addr: ":0"}
-	h := NewRouter(cfg, slog.New(slog.NewTextHandler(os.Stderr, nil)))
-	return httptest.NewServer(h)
+	mem := store.NewMemory()
+	tenant, _ := mem.GetTenantBySlug(context.Background(), "acme")
+	return wireHarness(t, mem, tenant)
 }
 
-func TestHealthz(t *testing.T) {
-	srv := newTestServer(t)
-	defer srv.Close()
+func newPostgresHarness(t *testing.T) *testHarness {
+	t.Helper()
+	ctx, cancel := context.WithTimeout(context.Background(), 90*time.Second)
+	defer cancel()
 
-	resp, err := http.Get(srv.URL + "/healthz")
+	pgc, err := tcpostgres.Run(ctx,
+		"postgres:16-alpine",
+		tcpostgres.WithDatabase("tenant_registry_test"),
+		tcpostgres.WithUsername("test"),
+		tcpostgres.WithPassword("test"),
+		tcpostgres.BasicWaitStrategies(),
+	)
+	if err != nil {
+		t.Skipf("skipping postgres harness: docker unreachable (%v)", err)
+	}
+	dsn, err := pgc.ConnectionString(ctx, "sslmode=disable")
+	if err != nil {
+		_ = pgc.Terminate(context.Background())
+		t.Fatalf("dsn: %v", err)
+	}
+	t.Cleanup(func() {
+		c, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer cancel()
+		_ = pgc.Terminate(c)
+	})
+
+	// run migrations
+	src, err := iofs.New(migrations.FS, ".")
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer func() { _ = resp.Body.Close() }()
-	if resp.StatusCode != http.StatusOK {
-		t.Fatalf("got %d, want 200", resp.StatusCode)
-	}
-}
-
-func TestTenantBySlug_acme(t *testing.T) {
-	srv := newTestServer(t)
-	defer srv.Close()
-
-	resp, err := http.Get(srv.URL + "/v1/tenants/by-slug/acme")
+	db, err := sql.Open("pgx", dsn)
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer func() { _ = resp.Body.Close() }()
-	if resp.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(resp.Body)
-		t.Fatalf("got %d, want 200; body=%s", resp.StatusCode, body)
-	}
-	var payload map[string]any
-	if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
-		t.Fatal(err)
-	}
-	if payload["slug"] != "acme" {
-		t.Fatalf("expected slug=acme, got %v", payload["slug"])
-	}
-	if payload["status"] != "active" {
-		t.Fatalf("expected status=active, got %v", payload["status"])
-	}
-}
-
-func TestTenantBySlug_unknown(t *testing.T) {
-	srv := newTestServer(t)
-	defer srv.Close()
-
-	resp, err := http.Get(srv.URL + "/v1/tenants/by-slug/nope")
+	driver, err := migpg.WithInstance(db, &migpg.Config{})
 	if err != nil {
 		t.Fatal(err)
 	}
-	defer func() { _ = resp.Body.Close() }()
-	if resp.StatusCode != http.StatusNotFound {
-		t.Fatalf("got %d, want 404", resp.StatusCode)
+	m, err := migrate.NewWithInstance("iofs", src, "postgres", driver)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if err := m.Up(); err != nil && err.Error() != "no change" {
+		t.Fatalf("migrate: %v", err)
+	}
+	_, _ = m.Close()
+	_ = db.Close()
+
+	pg, err := store.NewPostgres(ctx, dsn)
+	if err != nil {
+		t.Fatalf("new postgres: %v", err)
+	}
+
+	// seed an acme tenant so the per-endpoint tests can reuse the slug.
+	tenant, err := pg.CreateTenant(ctx, store.TenantCreate{
+		Slug: "acme", Name: "Acme Inc.", Plan: "professional",
+	})
+	if err != nil {
+		t.Fatalf("seed acme: %v", err)
+	}
+	return wireHarness(t, pg, tenant)
+}
+
+func wireHarness(t *testing.T, s store.Store, seed *store.Tenant) *testHarness {
+	t.Helper()
+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
+	handler := server.NewRouter(&server.Server{
+		Cfg: &config.Config{Env: "dev"}, Log: logger, Store: s,
+	})
+	return &testHarness{
+		t:      t,
+		srv:    httptest.NewServer(handler),
+		store:  s,
+		tenant: seed,
 	}
 }
+
+func (h *testHarness) do(method, path string, body any) (*http.Response, []byte) {
+	h.t.Helper()
+	var reader io.Reader
+	if body != nil {
+		buf, _ := json.Marshal(body)
+		reader = bytes.NewReader(buf)
+	}
+	req, err := http.NewRequest(method, h.srv.URL+path, reader)
+	if err != nil {
+		h.t.Fatal(err)
+	}
+	if body != nil {
+		req.Header.Set("Content-Type", "application/json")
+	}
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		h.t.Fatal(err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+	raw, _ := io.ReadAll(resp.Body)
+	return resp, raw
+}
+
+func decode[T any](t *testing.T, raw []byte) T {
+	t.Helper()
+	var v T
+	if err := json.Unmarshal(raw, &v); err != nil {
+		t.Fatalf("decode: %v; raw=%s", err, raw)
+	}
+	return v
+}
+
+// silence unused-import linter warnings if a test is removed temporarily.
+var _ = fmt.Sprintf
+var _ = os.Stderr