feat(phase-2): workstream 5 — OPA Policy Engine

- policies/authz.rego: Rego policy with path normalisation and scope enforcement
- policies/data/scopes.json: all 13 endpoint → scope mappings
- src/middleware/opa.ts: OpaMiddleware with Wasm primary path + scopes.json fallback;
  exports createOpaMiddleware() and reloadOpaPolicy() for SIGHUP hot-reload
- All four route files: opaMiddleware wired after authMiddleware
- AuditController, OAuth2Service: manual scope checks removed (now centralised in OPA)
- src/server.ts: SIGHUP handler calls reloadOpaPolicy()
- docs/devops/environment-variables.md: POLICY_DIR documented
- 38 new tests; 302/302 passing; opa.ts coverage 98.66% statements

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

policies/data/scopes.json

@@ -0,0 +1,17 @@
+{
+  "endpoint_permissions": {
+    "GET:/api/v1/agents":                                   ["agents:read"],
+    "GET:/api/v1/agents/:id":                              ["agents:read"],
+    "POST:/api/v1/agents":                                 ["agents:write"],
+    "PATCH:/api/v1/agents/:id":                            ["agents:write"],
+    "DELETE:/api/v1/agents/:id":                           ["agents:write"],
+    "GET:/api/v1/agents/:id/credentials":                  ["agents:read"],
+    "POST:/api/v1/agents/:id/credentials":                 ["agents:write"],
+    "POST:/api/v1/agents/:id/credentials/:credId/rotate":  ["agents:write"],
+    "DELETE:/api/v1/agents/:id/credentials/:credId":       ["agents:write"],
+    "POST:/api/v1/token/introspect":                       ["tokens:read"],
+    "POST:/api/v1/token/revoke":                           ["tokens:read"],
+    "GET:/api/v1/audit":                                   ["audit:read"],
+    "GET:/api/v1/audit/:id":                               ["audit:read"]
+  }
+}