Support channels in the provisioner API

[midigofrank]

Description

GET /api/provision/:id and POST /api/provision now round-trip channels alongside workflows and collections. JSON exposes destination_credential_id; YAML uses a hyphenated email-credential-name key under destination_credential (matching how jobs reference credentials).

Channel deletion is rejected with an actionable error directing the user to the dashboard. channel_requests have a RESTRICT FK that needs draining first, and the dashboard handles that transactionally — the provisioner shouldn't.

Channel changes emit the same audits as Channels.create_channel/2 and update_channel/3 (created/updated plus auth_method_added/removed/changed for the destination credential).

The :channels has_many was moved above :project_credentials on Project so Ecto's reverse-declaration child-processing order inserts project_credentials before channel_auth_methods, letting the destination FK resolve when both are created in the same import.

Closes #4522

Validation steps

1. Create channels
2. Export your project in the settings page
3. Your downloaded yaml will contain the channels
4. You can also validate this using the cli, right now using Support channels in provisioner kit#1412

AI Usage

Please disclose whether you've used AI anywhere in this PR (it's cool, we just
want to know!):

• I have used Claude Code
• I have used another model
• I have not used AI

You can read more details in our
Responsible AI Policy

Pre-submission checklist

• I have performed an AI review of my code (we recommend using /review
  with Claude Code)
• I have implemented and tested all related authorization policies.
  (e.g., :owner, :admin, :editor, :viewer)
• I have updated the changelog.
• I have ticked a box in "AI usage" in this PR

[codecov]

Codecov Report

❌ Patch coverage is 91.66667% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.04%. Comparing base (928c441) to head (7a933df).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
lib/lightning/projects/provisioner.ex	89.74%	4 Missing ⚠️
lib/lightning/channels/audit.ex	84.61%	2 Missing ⚠️
lib/lightning/export_utils.ex	94.44%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4757      +/-   ##
==========================================
+ Coverage   90.02%   90.04%   +0.02%     
==========================================
  Files         448      448              
  Lines       22487    22557      +70     
==========================================
+ Hits        20243    20312      +69     
- Misses       2244     2245       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Security Review ✅

• S0 (project scoping): New validate_project_credential_in_project/2 in lib/lightning/projects/provisioner.ex:537 rejects any project_credential_id not in this project's PC set (derived from loaded PCs plus user-owned additions via maybe_add_project_credentials); tests at test/lightning/projects/provisioner_test.exs:1459 and :1496 cover the channel and job cross-project rejection paths.
• S1 (authorization): N/A, no new web-layer entrypoints — provisioner-internal validation refactor only.
• S2 (audit trail): Same channel_created/updated and auth_method_added/removed/changed events are still emitted; Channels.Audit.audit_auth_method_changes/4 (lib/lightning/channels/audit.ex:35) now uses System.unique_integer/1 step keys so audits can be batched per channel in one Multi without key collisions.

[elias-ba]

Really nice one dude 👏🏽