fix(security): dispatch audit events outside broker lock; index tokens by value (#1607)

Addresses review feedback on the secrets broker:

- Audit events were emitted inside ``SecretsBroker._lock``. A slow or
  reentrant audit sink could stall every broker operation or deadlock if
  the sink called back into the broker. The lock now only marks state
  transitions; events are staged inside the critical section and emitted
  after release. Added a regression test that exercises a reentrant sink
  to pin the contract.
- ``resolve`` previously scanned the whole registry. Added a secondary
  ``_by_value`` index so token-value lookup is O(1).
- Doc typo: "maps secret names to values".