Refresh docs/arch/ to match current codebase

[JAORMX]

Summary

The architecture documentation under docs/arch/ had drifted since the v1beta1 CRD graduation and the migration of several packages (permissions, registry/types, redis client construction, etc.) into the sibling toolhive-core repository. This PR refreshes all 15 affected docs so that every code reference, field path, and behavioural claim resolves against the current code in both toolhive and toolhive-core.

The refresh was produced by a two-pass review: one read-only cross-reference pass per doc (verifying every claim against the codebase), followed by a fix pass that applies confirmed drifts only.

Highlights:

• Repoint moved packages — pkg/permissions, pkg/registry/types, pkg/registry/data/registry.json, runtime monitor, registry-api manager.
• Expand the operator CRD inventory — add EmbeddingServer (Auxiliary, StatefulSet) and MCPWebhookConfig; rename ToolConfig to MCPToolConfig in tables and relationship diagram.
• Fix CRD field paths — spec.config.compositeToolRefs, spec.incomingAuth.oidcConfigRef on VirtualMCPServer, MCPGroupRef consumers expanded to all four CRDs that reference it.
• Rewrite vMCP middleware order table to match the wrap order in pkg/vmcp/server/server.go; correct Reporter interface naming; note that the CLI logging reporter is Debug-level.
• Auth-server storage doc gains Cluster mode end-to-end (overview, diagram, CRD shape); flatten the timeouts CRD diagram into sibling fields; fix sentinelTls casing; surface DCRCredentialStore.
• Replace stale registry pieces — built-in catalog source, legacy top-level JSON examples (clarified as in-memory types.Registry shape vs on-disk UpstreamRegistry), registry-API endpoint paths (/v0.1/servers, /v0.1/servers/:name/versions/latest); deprecation note on thv group run.
• Transport doc updates — NamedMiddleware constructor type; MCP env vars emitted only by pkg/runtime/setup.go; 127.0.0.1 default lives in the config builder; SSE rewrite functions in sse_response_processor.go.
• Complete middleware enumeration in 02-core-concepts.md and 05-runconfig-and-permissions.md (adds upstreamswap, awssts, obo, ratelimit, usagemetrics, recovery, header-forward, validating-webhook, mutating-webhook); fix authz -> authorization constant.
• Restore the pkg/secrets/types.go reference for EnvVarPrefix + Provider interface; point the pod builder at pkg/controllerutil/.
• Skills doc — replace the nonexistent skillsvc.go references with the real file inventory; document the GET /content REST endpoint; mark oci_tags as reserved; correct the OCI artifact name-match rule (last path component).
• Smaller fixes — OrbStack added across runtime lists; runtime detection order corrected (Podman -> Docker -> Colima); drop bogus TOOLHIVE_DETACHED env var and SENTRY_TRACES_SAMPLE_RATE env-var fallback claim; add unknown and policy_stopped to the workload lifecycle states; add inspector transport.
• StatefulSet wording preserved throughout — thv-proxyrunner runs as a Deployment, but the MCP server pod itself is a StatefulSet created via pkg/container/kubernetes/client.go applyStatefulSet. An earlier audit got this wrong; this PR does not repeat that.

Type of change

• Documentation update

Test plan

• Cross-referenced every claim in each updated doc against the current code in toolhive and toolhive-core (read-only verification pass).
• Verified each applied edit against the cited file/symbol (fix pass).
• Spot-checked Mermaid diagram syntax for the modified diagrams.
• Confirmed StatefulSet/Deployment wording survives the refresh (the prior audit was wrong on this; verified against applyStatefulSet).

Does this introduce a user-facing change?

No — docs only.

Special notes for reviewers

This PR is bigger than the usual 400-line / 10-file limit, which is acceptable for docs-only changes per .claude/rules/pr-creation.md. Per-file diffs are small except for 09-operator-architecture.md, which had the largest structural drift (MCPRegistry source-handler section had referred to a pkg/sources/ tree that no longer exists). The new section reflects the current model where configYAML is passed verbatim to the registry-api server.

One adjacent code drift was noted but not fixed here (out of scope): cmd/thv-operator/controllers/mcpexternalauthconfig_controller.go:192 — the IdentitySynthesizedInactive message still says "All OAuth2 upstreams have userInfo configured" even though the predicate now also accepts identityFromToken. Worth a follow-up.

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.77%. Comparing base (8fbc935) to head (1590fc9).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5388      +/-   ##
==========================================
- Coverage   68.84%   68.77%   -0.07%     
==========================================
  Files         627      627              
  Lines       63644    63644              
==========================================
- Hits        43816    43774      -42     
- Misses      16574    16617      +43     
+ Partials     3254     3253       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.