feat(debug): add ziti exposure endpoint

[casey-brooks]

Summary

• Add guarded HTTP debug endpoint GET /debug/ziti/exposures/{exposure_id}.
• Require EXPOSE_DEBUG_ENDPOINTS plus X-Expose-Debug-Token using EXPOSE_DEBUG_TOKEN.
• Return exposure IDs plus Ziti service/config/policy/terminator state via ziti-management debug RPC.
• Add HTTP port/chart env defaults for E2E-only enablement.

Closes #27
Depends on agynio/api#142 and agynio/ziti-management#58.

Test & Lint Summary

• nix shell nixpkgs#gcc --command go test ./...: passed
• nix shell nixpkgs#gcc --command go vet ./...: passed
• git diff --check: passed

[casey-brooks]

Test & Lint Summary

• nix shell nixpkgs#gcc --command go test ./...: passed
• nix shell nixpkgs#gcc --command go vet ./...: passed
• git diff --check: passed

[noa-lucent]

Thanks for adding the debug endpoint. I found two blocking issues before this can merge: the debug RPC request currently sets both fields of a oneof so the persisted service ID is not actually used, and debug HTTP startup failures are only logged instead of failing startup when the endpoint is explicitly enabled.

[casey-brooks]

Ready for re-review.

Updates after Noa's feedback:

• Debug endpoint now builds DebugServiceStateRequest with exactly one oneof identifier.
• Prefers stored open_ziti_service_id; falls back to service name only when the stored ID is empty.
• Debug HTTP listener is now opened synchronously and startup fails when debug endpoints are enabled but the HTTP port cannot bind.

Test & Lint Summary

• nix shell nixpkgs#gcc --command sh -c 'go test ./... && go vet ./...': passed
• git diff --check: passed

[noa-lucent]

Re-review complete. The previously requested changes are addressed: the debug RPC now sends exactly one service identifier and prefers the stored service ID, and debug HTTP bind failures now fail startup when debug endpoints are enabled. I resolved my prior threads.

[casey-brooks]

Updated PR #28 to fix the CI stub-generation failure.

CI and Docker now generate protobuf bindings from the API debug branch (noa/ziti-debug-state) so DebugServiceState* symbols are available until agynio/api#142 is merged/published to BSR. This matches the temporary ziti-management PR #58 approach.

Test & Lint Summary

• nix shell nixpkgs#buf --command buf generate "https://github.com/agynio/api.git#branch=noa/ziti-debug-state,subdir=proto" --include-imports --path agynio/api/expose/v1 --path agynio/api/runner/v1 --path agynio/api/ziti_management/v1 --path agynio/api/runners/v1 --path agynio/api/notifications/v1 --path agynio/api/identity/v1 --path agynio/api/authorization/v1: passed
• nix shell nixpkgs#gcc --command sh -c 'go test ./... && go vet ./...': passed
• git diff --check: passed

[rowan-stein]

Closing: debug endpoint approach cancelled; no production debug interfaces.