feat(keycloak): M4.3 — Admin API adapter + claim resolver

internal/keycloak Adapter (HTTPAdapter + Mock). POST /v1/tenants now provisions a KC organization + IT_ADMIN invite when admin_email is set; KC failures emit keycloak.provision_failed but don't roll back. POST /v1/internal/keycloak/claims resolves the current claim bundle for any (tenant_id|tenant_slug|user_attrs.*) lookup. Mock used in tests + when KEYCLOAK_ADMIN_URL is empty. HTTPAdapter tested against an in-process stub KC (httptest.Server).

Refs: M4.3

internal/server/tenants_test.go

@@ -24,9 +24,12 @@ func TestCreateTenant(t *testing.T) {
 		if resp.StatusCode != http.StatusCreated {
 			t.Fatalf("status = %d, body=%s", resp.StatusCode, body)
 		}
-		t1 := decode[store.Tenant](t, body)
-		if t1.Slug != "beta-co" || t1.Status != "trial" || t1.Plan != "starter" {
-			t.Errorf("unexpected: %+v", t1)
+		out := decode[struct {
+			Tenant    *store.Tenant `json:"tenant"`
+			InviteURL string        `json:"invite_url"`
+		}](t, body)
+		if out.Tenant.Slug != "beta-co" || out.Tenant.Status != "trial" || out.Tenant.Plan != "starter" {
+			t.Errorf("unexpected: %+v", out.Tenant)
 		}
 	})
 }
@@ -81,7 +84,10 @@ func TestActivateTenant(t *testing.T) {
 		_, body := h.do("POST", "/v1/tenants", map[string]any{
 			"slug": "trial-co", "name": "Trial Co.",
 		})
-		created := decode[store.Tenant](t, body)
+		createdWrap := decode[struct {
+			Tenant *store.Tenant `json:"tenant"`
+		}](t, body)
+		created := createdWrap.Tenant
 		if created.Status != "trial" {
 			t.Fatalf("precondition: %q", created.Status)
 		}