Summary

Closes the `parent_agent` cascade gap surfaced on scaleapi/agentex#354. Stacked on PR #248 (AGX1-272 dual-write).

The api_key dual-write currently calls `authorization_service.grant(api_key)` which writes the owner edge in SpiceDB but NOT the `parent_agent` edge. The `agent_api_key` schema requires:

```
permission read = internal_effective_viewer & parent_agent->read & internal_tenant_gate
permission update = internal_effective_editor & parent_agent->update & internal_tenant_gate
```

Without the `parent_agent` edge, every downstream read/update fails closed — even for the owner.

This PR adds `register_resource` / `deregister_resource` methods and swaps the api_keys use case to write the parent edge atomically.

Dependency chain

This is PR #3 of 3 in a cross-repo coordinated change. Must merge in order:

Changes

• `src/adapters/authorization/port.py` — abstract `register_resource(resource, parent=None)` and `deregister_resource(resource)` on `AuthorizationGateway`.
• `src/adapters/authorization/adapter_agentex_authz_proxy.py` — POST `/v1/authz/register` and `/v1/authz/deregister` to agentex-auth.
• `src/domain/services/authorization_service.py` — `register_resource` and `deregister_resource` service methods mirroring the existing grant/revoke pattern (`principal_context` override, `_bypass` support, parent shown in log line for cascade debugging).
• `src/domain/use_cases/agent_api_keys_use_case.py` —
  • Swap `grant → register_resource` in `_register_api_key_in_spark_authz`, passing `parent=AgentexResource.agent(agent_id)`.
  • Swap `revoke → deregister_resource` in `_deregister_api_key_from_spark_authz`.
  • `except Exception` wrappers preserved: fail-closed on register, best-effort on deregister.
• `tests/integration/services/test_agent_api_key_service_dual_write.py` — rename mocks to `register_resource`/`deregister_resource`; add explicit assertion that the `parent` edge is passed correctly (the load-bearing part — this is what prevents the cascade from failing closed).

5 files, +215/-66.

Test plan

• `uv run pytest agentex/tests/integration/services/test_agent_api_key_service_dual_write.py` — 8/8 pass.
• New assertion in `test_create_api_key_calls_grant_when_flag_on`:
  ```python
  registered_parent = register.await_args.kwargs["parent"]
  assert registered_parent.type == AgentexResourceType.agent
  assert registered_parent.selector == agent.id
  ```
  This is the contract that protects against silently dropping the parent edge in future changes.
• All existing dual-write semantics preserved: flag-on, flag-off, no-creator skip, register-failure-prevents-row, deregister-failure-does-not-block-delete.
• End-to-end verification against a real SpiceDB once the full stack (PR Bump next from 15.2.3 to 15.5.6 in /agentex-web #1, Bump cross-spawn from 7.0.3 to 7.0.6 in /agentex-web #2, Bump brace-expansion in /agentex-web #3, feat(AGX1-272): dual-write agent_api_keys to spark-authz behind FGAC flag #248) is merged and `Provider.spark` is exercised in dev.

Why this stacks on #248

The use-case change in `_register_api_key_in_spark_authz` directly depends on PR #248's existing code structure (the method, the feature flag check, the creator metadata population). Building on top of #248 makes the diff small and the intent obvious.

If #248 changes during review, this PR rebases mechanically. If the team prefers to fold the parent-edge work into #248 directly (one PR instead of two), happy to do that too.

Out of scope

• Other resource types' grant→register_resource swap (`task`, `build`, `deployment`, `schedule`). Each is its own follow-up; Asher's task PR feat(AGX1-274): record task creator identity and FGAC migration safety #246 has the same gap.
• Backfill for existing api_keys created without the parent edge. Reconcile job tracked separately.