feat: add EnrollApp RPC to apps/v1 and gateway/v1 protos

[rowan-stein]

Request

Add a new EnrollApp RPC to both AppsService and AppsGateway proto definitions. This supports the app self-enrollment flow where an app exchanges its service_token (obtained during RegisterApp) for an enrolled OpenZiti identity at startup.

Specification

proto/agynio/api/apps/v1/apps.proto

New messages (add after ValidateServiceTokenResponse):

message EnrollAppRequest {
  // The raw service token issued during RegisterApp.
  string service_token = 1;
}

message EnrollAppResponse {
  // The enrolled OpenZiti identity JSON (cert, key, CA, controller URL).
  bytes identity_json = 1;
  // The platform identity ID for this app.
  string identity_id = 2;
}

New RPC (add to AppsService after ValidateServiceToken):

  // Self-enrollment: app calls at startup with its service_token.
  // Creates (or re-creates) the OpenZiti identity + service for the app.
  // Idempotent: cleans up old ziti resources and creates fresh ones on each call.
  rpc EnrollApp(EnrollAppRequest) returns (EnrollAppResponse);

proto/agynio/api/gateway/v1/apps.proto

New RPC (add to AppsGateway):

  rpc EnrollApp(agynio.api.apps.v1.EnrollAppRequest) returns (agynio.api.apps.v1.EnrollAppResponse);

No new imports needed — agynio/api/apps/v1/apps.proto is already imported.

Context

This is part of the Apps platform self-enrollment feature. RegisterApp will no longer create OpenZiti resources at registration time. Instead, the app calls EnrollApp at startup with its long-lived service_token to obtain a fresh OpenZiti identity.