feat: sign-in provider chooser, API docs, and dashboard URLs (PROT-7)

[BlakeHastings]

Registry follow-ups for PROT-7, consolidated.

Sign-in provider chooser

Previously /connect/authorize slammed unauthenticated users straight into GitHub. Now:

• Unauthenticated authorize requests redirect to a registry-owned sign-in chooser (/login) that lists the configured providers; picking one (/login/challenge) forwards through it and back to the original authorize request.
• A client may pass an identity_provider hint (e.g. identity_provider=github) to auto-forward and skip the chooser.
• Providers are data-driven (AuthProviders), so adding Google/Microsoft/etc. later is just a list entry + a registered handler.
• Return URLs are validated as local-only (no open redirect).

API docs + dashboard URLs

• OpenAPI document at /openapi/v1.json (built-in) and an interactive Scalar reference at /scalar/v1 (Development only).
• The Aspire api resource shows named, clickable links (API reference, OpenAPI, Service metadata, OpenID configuration, Health) instead of raw base URLs.

Infra

• Pin Postgres to image tag 18.
• Aspire packages aligned to 13.4.0.

Verification

• dotnet test green (4/4, incl. a new test that the chooser page lists providers).
• Smoke-tested against a running registry: authorize with no hint → 302 /login; the chooser renders the GitHub option; /login/challenge?provider=github → 302 github.com; authorize with identity_provider=github → 302 github.com (chooser skipped). The OpenAPI/Scalar/health links all resolve.

Part of PROT-7.