feat(phase-2): workstream 5 — OPA Policy Engine

- policies/authz.rego: Rego policy with path normalisation and scope enforcement
- policies/data/scopes.json: all 13 endpoint → scope mappings
- src/middleware/opa.ts: OpaMiddleware with Wasm primary path + scopes.json fallback;
  exports createOpaMiddleware() and reloadOpaPolicy() for SIGHUP hot-reload
- All four route files: opaMiddleware wired after authMiddleware
- AuditController, OAuth2Service: manual scope checks removed (now centralised in OPA)
- src/server.ts: SIGHUP handler calls reloadOpaPolicy()
- docs/devops/environment-variables.md: POLICY_DIR documented
- 38 new tests; 302/302 passing; opa.ts coverage 98.66% statements

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs/devops/environment-variables.md

@@ -117,6 +117,21 @@ KV v2 secrets engine mount path.
 
 ---
 
+### `POLICY_DIR`
+
+Directory containing OPA policy files (`authz.rego`, `authz.wasm`, `data/scopes.json`).
+
+| | |
+|-|-|
+| **Required** | No |
+| **Default** | `<cwd>/policies` |
+| **Format** | Absolute or relative directory path |
+| **Example** | `POLICY_DIR=/etc/sentryagent/policies` |
+
+At startup the OPA authorization middleware loads `${POLICY_DIR}/authz.wasm` (Wasm mode) if present; otherwise it loads `${POLICY_DIR}/data/scopes.json` (fallback mode). Send `SIGHUP` to the process to hot-reload the policy files without a restart.
+
+---
+
 ### `PORT`
 
 HTTP port the Express server listens on.
@@ -187,6 +202,9 @@ MIIBIjANBgkq...
 # VAULT_ADDR=http://127.0.0.1:8200
 # VAULT_TOKEN=hvs.XXXXXXXXXXXXXXXXXXXXXX
 # VAULT_MOUNT=secret
+
+# OPA Policy Engine (Phase 2 — optional, defaults to <cwd>/policies)
+# POLICY_DIR=/etc/sentryagent/policies
 ```
 
 > Do not commit `.env` to version control. Add it to `.gitignore`.