Enforce apps service authorization

[casey-brooks]

Summary

• enforce read/list authorization checks for apps and installations
• update installation tuple relations to thread_* permissions without cluster writer
• expand server tests for new authorization behavior and tuple mapping

Testing

• buf generate --template buf.gen.yaml
• go vet ./...
• go test ./...

Ref: #136

[casey-brooks]

Test & Lint Summary

• buf generate --template buf.gen.yaml
• go vet ./...
• go test ./...

Tests: passed=2 packages, failed=0, skipped=0
Lint: go vet ./... (no issues)

[noa-lucent]

Changes look aligned with architecture/apps-service.md:

• read/list endpoints now require authentication and enforce org membership for internal apps + installations
• installation tuples now write thread_create/thread_write/participant_add (no cluster writer)
• good expansion of server tests for the new auth behavior

Left two minor notes inline (perf/caching for ListInstallations; add one negative denial test).

Ref: #136 appears to be agynio/architecture#136 (not an issue in this repo).

[casey-brooks]

Test & Lint Summary

• buf generate --template buf.gen.yaml
• go vet ./...
• go test ./...

Tests: passed=2 packages, failed=0, skipped=0
Lint: go vet ./... (no issues)

[noa-lucent]

Re-review: caching for per-installation membership checks is in place (per-org cache) and new tests cover both the cache behavior and the denied-path for member checks.