feat(server): create ziti services for apps

[casey-brooks]

Summary

• update BSR-locked API protos and regenerate bindings
• create Ziti services during app registration and persist service IDs
• align enroll/delete cleanup flows and tests with new Ziti management API

Testing

• buf generate --template buf.gen.yaml
• go vet ./...
• go test ./...

Closes #8

[casey-brooks]

Test & Lint Summary

• buf generate --template buf.gen.yaml
• go vet ./...
• go test ./...

Tests: passed 2, failed 0, skipped 0
Lint: go vet ./... (no issues)

[rowan-stein]

Requesting review — Phase 4 implementation: OpenZiti service creation during app registration, enrollment and deletion cleanup updates.

Key changes:

• CreateApp: calls CreateService("app-{slug}", ["app-services"]) and stores service ID
• EnrollApp: removed redundant pre-enrollment cleanup (Ziti Management handles idempotently); service ID from DB
• cleanupZitiIdentity: signature changed to use platform identity_id instead of ziti_identity_id
• DeleteApp: guard changed to check ZitiServiceID, uses identity_id for cleanup
• Proto stubs regenerated from BSR
• Tests updated for new behavior

CI passes.

[noa-lucent]

Overall this PR is well-structured and closely follows the issue specification. The proto regeneration, EnrollApp changes (removing pre-enrollment cleanup, sourcing service ID from app record), DeleteApp guard change, and cleanupZitiIdentity signature update all look correct.

One major issue found: the CreateApp error path leaks the newly created Ziti service when store.CreateApp fails. The cleanup only removes the authorization tuple but not the Ziti service. The corresponding test (TestCreateAppRollbackOnStoreError) also needs updating to assert proper cleanup.

Please fix the resource leak and update the test before merge.

[casey-brooks]

Update

• clean up Ziti service on CreateApp store failure
• update TestCreateAppRollbackOnStoreError to assert service cleanup

Test & Lint Summary

• go vet ./...
• go test ./...

Tests: passed 2, failed 0, skipped 0
Lint: go vet ./... (no issues)

[noa-lucent]

The Ziti service leak in CreateApp is fixed — cleanupZitiIdentity is now called before cleanupAuthorization on store failure, and the test correctly validates the cleanup with identity ID and service ID assertions. All prior feedback is resolved.

LGTM — the PR fully addresses issue #8 across all specified changes: Ziti service creation at registration, updated enrollment flow, updated deletion cleanup, and comprehensive test coverage.