feat(server): tenant-registry skeleton boots against dev stack

Minimal Go service so platform/portal has something to resolve in local
dev. Stdlib net/http with Go 1.22 enhanced ServeMux (method+path
patterns); no third-party deps yet.

Layout:
  cmd/server/main.go               entry point with graceful shutdown
  internal/config/                 env-driven config (APP_ENV, ADDR, KC issuer)
  internal/server/                 http handlers + request-logging middleware
  internal/store/memory.go         in-memory tenant store, seeded with acme
  migrations/0001_init.up.sql      schema for the M4.1 follow-up (unapplied)
  Makefile                         dev/test/build/lint/docker targets
  Dockerfile                       multi-stage distroless build

Endpoints (under :8080 in dev):
  GET /healthz
  GET /v1/tenants/by-slug/{slug}   200 acme | 404
  GET /v1/tenants/{id}             200 by uuid | 404

JWT validation and the real Postgres-backed store land in the M4.1
follow-up PR — keeping this PR strictly to 'boots, replies, tests pass'.

Refs: M4.1 (skeleton)

README.md

@@ -20,19 +20,51 @@ Multi-tenant glue: orgs, entitlements, API keys, audit. Scaffolded under milesto
 ## Run locally
 
 ```bash
-# prerequisites: see CONTRIBUTING.md for tooling once code lands
-make dev          # starts dependencies + this service on http://localhost:8080
-make test         # unit + integration
-make e2e          # only if this repo ships user-facing flows
+# Prerequisites: Go 1.25+
+# Dependencies (Keycloak, pg-app) come from the dev stack — see platform/orca-platform/dev.
+
+# In one terminal — bring up dev dependencies (in the orca-platform clone):
+cd /path/to/platform/orca-platform && make dev-up
+
+# In another — run the service:
+make dev          # APP_ENV=dev, listens on :8080
+make test         # unit tests
+make build        # compile to ./bin/tenant-registry
 ```
 
-Local secrets come from `.env.local` (gitignored). Template at `.env.example`.
+Env vars (override at the shell):
 
-## Endpoints / surface
+| Var                | Default                                                      | Purpose                                |
+|---|---|---|
+| `APP_ENV`          | `dev`                                                        | one of `dev`, `stage`, `prod`          |
+| `ADDR`             | `:8080`                                                      | listen address                         |
+| `KEYCLOAK_ISSUER`  | `http://localhost:8080/realms/breakpilot-dev`                | OIDC issuer URL                        |
+| `DATABASE_URL`     | empty (in-memory store in skeleton)                          | Postgres DSN, wired up in the M4.1 schema PR |
 
-{{For services: list the top-level routes or commands.
-For libraries: list the public API entry points.
-For IaC: list the make targets.}}
+## Endpoints
+
+| Method | Path                              | Returns                                                                 |
+|---|---|---|
+| GET    | `/healthz`                        | `{"status":"ok"}` — liveness probe                                       |
+| GET    | `/v1/tenants/by-slug/{slug}`      | 200 with tenant JSON, 404 if missing                                     |
+| GET    | `/v1/tenants/{id}`                | 200 with tenant JSON, 404 if missing                                     |
+
+The skeleton's store is in-memory and pre-seeded with one tenant:
+
+```json
+{
+  "id": "00000000-0000-0000-0000-000000000001",
+  "slug": "acme",
+  "name": "Acme Inc.",
+  "status": "active",
+  "plan": "professional",
+  "products": ["certifai", "compliance"]
+}
+```
+
+So `curl http://localhost:8080/v1/tenants/by-slug/acme` works the moment `make dev` is up.
+
+The full schema (tenants, tenant_products, audit_log) is committed at `migrations/0001_init.up.sql` for review, but unapplied until the M4.1 follow-up PR swaps the in-memory store for pgx-backed Postgres.
 
 ## Deployment