Generate SQL and private keys for Snowflake Connections

[Zaimwa9]

Follow up of #7276

When we create a Snowflake connection:

• No credential fields. The server generates the RSA keypair — the customer never types a secret.

Request body (PATCH)

Any subset of the fields above. Omitted fields are left unchanged.

• type and account_identifier are immutable — changing them is effectively a new connection. Return 400 if included.

Response (201 Created on POST, 200 OK on PUT/PATCH)

{
  "id": "wc_abc123",
  "type": "snowflake",
  "status": "pending_customer_setup",
  "config": {
    "account_identifier": "xy12345.us-east-1",
    "warehouse": "COMPUTE_WH",
    "database": "FLAGSMITH",
    "schema": "ANALYTICS",
    "role": "FLAGSMITH_LOADER",
    "user": "FLAGSMITH_SERVICE"
  },
  "public_key": "MIICIjANBgkq...", // missing
  "setup_script": "-- Flagsmith Analytics\nUSE ROLE SYSADMIN;\n...", // missing
  "created_at": "2026-04-17T10:00:00Z"
}

• public_key and setup_script are returned so the customer can run the SQL directly in Snowflake.
• status starts as pending_customer_setup on create — test endpoint (Add test connection endpoint for warehouse connections (Snowflake) #7277) will flip this to connected.
• On PUT/PATCH, setup_script is regenerated to reflect the new config, and status resets to pending_customer_setup (any prior test result no longer applies). The RSA keypair is not regenerated.

Security

• Private key must be encrypted at rest before storing. It must never be returned in any API response.