Expose Azure user delegation SAS generation for scoped credential vending

[Xuanwo]

Background

Credential vending for Azure Blob Storage usually means a control plane obtains a user delegation key using Azure AD credentials and then issues a SAS token restricted to a container or directory prefix.

reqsign-azure-storage already has pieces around BearerToken authentication, user delegation key requests, and user delegation SAS presign. However, the public API is still centered on signing a specific request. A catalog/namespace service needs a control-plane-friendly API that returns a SAS token string and expiration for a target account/container/path/permission scope.

Proposal

Expose a public Azure user delegation SAS generation API that can:

• use an existing Credential::BearerToken or ProvideCredential<Credential = Credential> to call Get User Delegation Key;
• generate a SAS token for a container or path prefix;
• accept explicit permissions and expiration;
• return the SAS token plus its expiration timestamp;
• use reqsign's existing Context::http_send path instead of depending on Azure SDK client types.

The API should be usable by downstream control planes that already performed their own authorization and only need the cloud-native scoped credential.

Relationship to SAS expiration

This should build on an expiration-aware Credential::SasToken so callers can feed the generated SAS token back into reqsign and rely on normal credential invalidation and refresh behavior.

Non-goals

• Do not add namespace/catalog authorization logic to reqsign.
• Do not hard-code Lance-specific permission names or storage option keys.
• Do not require downstreams to use Azure SDK clients just to vend SAS tokens.