feat: Implement provisioning pipelines for subscription management

- Add ReactivatePipeline to handle subscription reactivation, including scaling Docker services, health verification, status updates, audit logging, and broadcasting status changes.
- Introduce RotateCredentialsPipeline for OAuth2 credential rotation, managing the deletion of old apps, creation of new ones, credential storage, access verification, and audit logging.
- Create StepRunner to manage job step execution, including lifecycle management and progress broadcasting via SignalR.
- Implement SuspendPipeline for subscription suspension, scaling down services, updating statuses, logging audits, and broadcasting changes.
- Add UpdateScreenLimitPipeline to update Xibo CMS screen limits and record snapshots.
- Introduce XiboFeatureManifests for hardcoded feature ACLs per role.
- Add docker-compose.dev.yml for local development with PostgreSQL setup.

OTSSignsOrchestrator.Server/Health/Checks/ByoiCertExpiryHealthCheck.cs

@@ -0,0 +1,69 @@
+using OTSSignsOrchestrator.Server.Data.Entities;
+
+namespace OTSSignsOrchestrator.Server.Health.Checks;
+
+/// <summary>
+/// For Pro plan BYOI customers: checks certificate expiry from <see cref="ByoiConfig"/>.
+/// Alerts at 60-day (Warning), 30-day (Warning), 7-day (Critical) thresholds.
+/// AutoRemediate=false — customer must rotate their IdP certificate via the portal.
+/// </summary>
+public sealed class ByoiCertExpiryHealthCheck : IHealthCheck
+{
+    /// <summary>Alert thresholds in days (descending).</summary>
+    internal static readonly int[] AlertThresholdDays = [60, 30, 7];
+
+    /// <summary>Days at or below which severity escalates to Critical.</summary>
+    internal const int CriticalThresholdDays = 7;
+
+    public string CheckName => "ByoiCertExpiry";
+    public bool AutoRemediate => false;
+
+    public Task<HealthCheckResult> RunAsync(Instance instance, CancellationToken ct)
+    {
+        // Only applies to instances with an enabled BYOI config
+        var byoiConfig = instance.ByoiConfigs.FirstOrDefault(b => b.Enabled);
+        if (byoiConfig is null)
+        {
+            return Task.FromResult(new HealthCheckResult(HealthStatus.Healthy,
+                "No BYOI config — check not applicable"));
+        }
+
+        // Only Pro customers have BYOI
+        if (instance.Customer.Plan != CustomerPlan.Pro)
+        {
+            return Task.FromResult(new HealthCheckResult(HealthStatus.Healthy,
+                "Non-Pro plan — BYOI check not applicable"));
+        }
+
+        var daysRemaining = (byoiConfig.CertExpiry - DateTime.UtcNow).TotalDays;
+
+        if (daysRemaining <= 0)
+        {
+            return Task.FromResult(new HealthCheckResult(HealthStatus.Critical,
+                $"BYOI certificate has EXPIRED (expired {Math.Abs((int)daysRemaining)} days ago)",
+                "Customer must rotate their IdP certificate via the portal immediately"));
+        }
+
+        if (daysRemaining <= CriticalThresholdDays)
+        {
+            return Task.FromResult(new HealthCheckResult(HealthStatus.Critical,
+                $"BYOI certificate expires in {(int)daysRemaining} days",
+                "Urgent: customer must rotate their IdP certificate"));
+        }
+
+        // Check warning thresholds (60 and 30 days)
+        foreach (var threshold in AlertThresholdDays)
+        {
+            if (threshold <= CriticalThresholdDays) continue;
+            if (daysRemaining <= threshold)
+            {
+                return Task.FromResult(new HealthCheckResult(HealthStatus.Degraded,
+                    $"BYOI certificate expires in {(int)daysRemaining} days (threshold: {threshold}d)",
+                    "Customer should plan certificate rotation"));
+            }
+        }
+
+        return Task.FromResult(new HealthCheckResult(HealthStatus.Healthy,
+            $"BYOI certificate valid for {(int)daysRemaining} more days"));
+    }
+}