feat(iot-ops): add secret sync enablement templates and CI bicep validation

[digimaun]

Add declarative IaC replacement for az iot ops secretsync enable using the resolve-step output chaining pattern.

• resolve-aio.bicep: read-only instance → CL → cluster resolution chain
• enable-secretsync.bicep: MI, KV (conditional/cross-RG), FIC, SPC, instance update
• sync-secret.bicep: generic @secure() secret sync example
• Reusable modules: resolve-custom-location, resolve-cluster, keyvault-roles, update-instance
• Standalone secretsync.yaml manifest + integrated steps in aio-install.yaml
• base-site.yaml: enableSecretSync toggle (default false)
• Storage account networkAcls hardening for schema registry
• scripts/validate-bicep.ps1 + CI step for all workspace Bicep files
• docs/secret-sync.md: feature guide covering enablement, BYOKV, and usage