feat(main): make provisioning available without cloning the platform repo

[marythought]

Problem

Consumers who want to set up OpenTDF must clone the entire platform repo and use go run to provision Keycloak and load fixtures. This is because:

1. provision keycloak defaults to reading ./service/cmd/keycloak_data.yaml (a hardcoded relative path). It does have a --file flag, but the YAML file isn't distributed separately.
2. provision fixtures hardcodes ./service/internal/fixtures/policy_fixtures.yaml with no --file override.
3. The container image includes the platform binary but not the provisioning YAML files.

This means even consumers following the Consuming guide need Go installed and the full source checkout just to bootstrap Keycloak.

Proposal

Make provisioning available as a standalone operation without requiring a source checkout. Some options:

Option A: Bundle provisioning data in the container image

• Include keycloak_data.yaml and policy_fixtures.yaml in the container image
• Add provision keycloak and provision fixtures as entrypoint subcommands
• Consumers could run: docker run opentdf/platform provision keycloak -e <keycloak-url>

Option B: Embed YAML files in the binary with //go:embed

• Embed the provisioning YAML files at compile time
• Remove the dependency on relative file paths
• The --file flag would still work as an override

Option C: Add provisioning to otdfctl

• Move provision keycloak into otdfctl (which is already distributed as a standalone binary)
• Consumers would run: otdfctl provision keycloak --endpoint <url>

Option D: Publish provisioning YAML files as release artifacts

• Attach keycloak_data.yaml to GitHub releases alongside the binary
• Document the --file flag in the consuming guide
• Add a --file flag to provision fixtures (currently missing)

Context

This came up while writing the production deployment guide — the guide currently has a warning explaining the source checkout requirement. Related: #1384