feat(keycloak): M4.3 — Admin API adapter + claim resolver

internal/keycloak Adapter (HTTPAdapter + Mock). POST /v1/tenants now provisions a KC organization + IT_ADMIN invite when admin_email is set; KC failures emit keycloak.provision_failed but don't roll back. POST /v1/internal/keycloak/claims resolves the current claim bundle for any (tenant_id|tenant_slug|user_attrs.*) lookup. Mock used in tests + when KEYCLOAK_ADMIN_URL is empty. HTTPAdapter tested against an in-process stub KC (httptest.Server).

Refs: M4.3

cmd/server/main.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	"gitea.meghsakha.com/platform/tenant-registry/internal/config"
+	"gitea.meghsakha.com/platform/tenant-registry/internal/keycloak"
 	"gitea.meghsakha.com/platform/tenant-registry/internal/server"
 	"gitea.meghsakha.com/platform/tenant-registry/internal/store"
 )
@@ -42,7 +43,23 @@ func main() {
 	}
 	defer s.Close()
 
-	handler := server.NewRouter(&server.Server{Cfg: cfg, Log: logger, Store: s})
+	var kc keycloak.Adapter
+	if cfg.KeycloakAdminURL != "" && cfg.KeycloakClientID != "" {
+		kc = keycloak.NewHTTPAdapter(keycloak.HTTPConfig{
+			BaseURL:      cfg.KeycloakAdminURL,
+			Realm:        cfg.KeycloakRealm,
+			ClientID:     cfg.KeycloakClientID,
+			ClientSecret: cfg.KeycloakClientSecret,
+			Timeout:      cfg.KeycloakTimeout,
+		})
+		slog.Info("keycloak adapter configured",
+			"url", cfg.KeycloakAdminURL, "realm", cfg.KeycloakRealm, "client_id", cfg.KeycloakClientID)
+	} else {
+		slog.Warn("KEYCLOAK_ADMIN_URL not set — using mock adapter (dev only; no real KC writes)")
+		kc = keycloak.NewMock()
+	}
+
+	handler := server.NewRouter(&server.Server{Cfg: cfg, Log: logger, Store: s, Keycloak: kc})
 	srv := &http.Server{
 		Addr:         cfg.Addr,
 		Handler:      handler,