refactor(apply_gate): migrate Chronicle emission to CloudEvents

Replace fake Forgejo push webhook for APPLY_AUTHORIZED with
structured CloudEvents 1.0. Event carries diff_hash and mfa_method
as typed fields.

Event rename: APPLY_AUTHORIZED -> GOV_APPLY_AUTHORIZED

Signed-off-by: Tyler King <tking@guildhouse.dev>

org-ops-core/src/apply_gate.rs

@@ -214,29 +214,22 @@ pub fn run_apply_gate(
         _ => "no-mfa".to_string(),
     };
 
-    // Step 4: Chronicle APPLY_AUTHORIZED
-    let now = std::time::SystemTime::now()
-        .duration_since(std::time::UNIX_EPOCH)
-        .unwrap()
-        .as_secs();
-    let body = serde_json::json!({
-        "pusher": {"login": actor_did},
-        "ref": "refs/governance/APPLY_AUTHORIZED",
-        "repository": {"full_name": "platform/apply-governance"},
-        "commits": [{"message": format!("APPLY_AUTHORIZED: {} signed {}", actor_did, &diff_hash[..24])}],
-    });
-
-    let ok = reqwest::blocking::Client::new()
-        .post(chronicle_webhook)
-        .header("X-Forgejo-Event", "push")
-        .json(&body)
-        .timeout(Duration::from_secs(5))
-        .send()
-        .map(|r| r.status().is_success())
-        .unwrap_or(false);
+    // Step 4: Chronicle GOV_APPLY_AUTHORIZED
+    let chronicle = crate::chronicle_client::ChronicleClient::from_legacy_webhook(chronicle_webhook);
+    let ok = chronicle.emit(
+        "GOV_APPLY_AUTHORIZED",
+        actor_did,
+        &crate::chronicle_client::ChronicleClient::generate_id(),
+        serde_json::json!({
+            "kind": "GOV_APPLY_AUTHORIZED",
+            "description": format!("{} signed {}", actor_did, &diff_hash[..24]),
+            "diff_hash": diff_hash,
+            "mfa_method": policy.mfa_method,
+        }),
+    );
 
     if ok {
-        println!("\n  Chronicle: APPLY_AUTHORIZED recorded");
+        println!("\n  Chronicle: GOV_APPLY_AUTHORIZED recorded");
     }
 
     println!("  Authorization valid for {} seconds.", policy.mfa_timeout_secs);