feat(tpsc): Third-Party Services Catalog (CUST-WP-0023)

Introduces TPSC for tracking external service dependencies with GDPR
compliance maturity (CNIL/IAPP CMMI scale), pricing model, ToS, and
data retention information across all repos.

Primary data:
- canon/tpsc/{openai,anthropic,gemini,openrouter}-api.yaml — service definitions
- tpsc.yaml in each repo (llm-connect seeded with 4 services)

State-hub additions:
- Migration j7e8f9a0b1c2: tpsc_catalog + tpsc_snapshots + tpsc_entries
- api/models/tpsc.py, api/schemas/tpsc.py, api/routers/tpsc.py
- /tpsc/catalog/, /tpsc/ingest/, /tpsc/snapshots/, /tpsc/report/gdpr endpoints
- 4 MCP tools: register_service, list_services, ingest_tpsc_tool, get_gdpr_report
- scripts/ingest_tpsc.py + make ingest-tpsc[/-all] targets
- Dashboard: tpsc.md page + docs/tpsc.md

GDPR maturity scale: unknown | non_compliant | initial | developing | defined | managed | certified
Warnings triggered at: unknown, non_compliant, initial

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Makefile

@@ -183,6 +183,19 @@ ingest-capabilities-all:
 	uv run python scripts/ingest_capabilities.py --all \
 		$(if $(DRY_RUN),--dry-run)
 
+## Ingest tpsc.yaml service declarations from a repo into the TPSC catalog.
+## Usage: make ingest-tpsc REPO=llm-connect
+## Or:    make ingest-tpsc-all
+## Add DRY_RUN=1 to preview without writing.
+ingest-tpsc:
+	@test -n "$(REPO)" || (echo "ERROR: REPO is required."; exit 1)
+	uv run python scripts/ingest_tpsc.py --repo "$(REPO)" \
+		$(if $(DRY_RUN),--dry-run)
+
+ingest-tpsc-all:
+	uv run python scripts/ingest_tpsc.py --all \
+		$(if $(DRY_RUN),--dry-run)
+
 ## Run SBOM capture agent for a repo — generates/updates sbom-tools.yaml.
 ## Usage: make capture-tools REPO=railiance-infra [REPO_PATH=/home/worsch/railiance-infra]
 ## Add DRY_RUN=1 to preview without writing.