Add private networks and groups API contracts

[rowan-stein]

Context

Implement the contract foundation for Private Networks and Groups based on agynio/architecture@2b51477.

Relevant architecture docs:

• changes/2026-06-05-private-networks.md
• architecture/private-networks.md
• architecture/networks-service.md
• architecture/groups-service.md
• architecture/openziti.md
• architecture/messaging.md
• architecture/resource-definitions.md

This is the first implementation slice. It defines shared protobuf contracts only; runtime service implementation will follow after contracts are stable.

Scope

Add API contracts for:

1. Groups service
2. Groups Gateway
3. Networks service
4. Networks Gateway
5. Groups durable event payloads
6. Networks durable event payloads
7. Ziti Management RPC additions needed by Private Networks and group role-attribute sync

Deliverables

Groups

Add:

• proto/agynio/api/groups/v1/groups.proto
• proto/agynio/api/groups/v1/events.proto
• proto/agynio/api/gateway/v1/groups.proto

GroupsService methods:

• CreateGroup
• GetGroup
• ListGroups
• UpdateGroup
• DeleteGroup
• AddMember
• RemoveMember
• ListMembers
• ListMemberGroups
• ListMemberGroupsBatch — internal only; do not expose in Gateway

Gateway should expose all Groups methods except ListMemberGroupsBatch.

Events:

• GroupMembershipAddedEvent
• GroupMembershipRemovedEvent
• GroupDeletedEvent

Networks

Add:

• proto/agynio/api/networks/v1/networks.proto
• proto/agynio/api/networks/v1/events.proto
• proto/agynio/api/gateway/v1/networks.proto

NetworksService methods:

• CreateNetwork
• GetNetwork
• ListNetworks
• UpdateNetwork
• DeleteNetwork
• CreateTunnelCredential
• GetTunnelCredential
• ListTunnelCredentials
• DeleteTunnelCredential
• CreatePrivateResource
• GetPrivateResource
• ListPrivateResources
• UpdatePrivateResource
• DeletePrivateResource
• CreatePrivateResourceAccess
• DeletePrivateResourceAccess
• ListPrivateResourceAccess

Gateway should expose all Networks methods.

Events:

• TunnelOnlineEvent
• TunnelOfflineEvent
• PrivateResourceAccessGrantedEvent
• PrivateResourceAccessRevokedEvent

Ziti Management

Extend proto/agynio/api/ziti_management/v1/ziti_management.proto with RPCs:

• CreateTunnelIdentity
• DeleteTunnelIdentity
• PatchIdentityRoleAttributes
• GetIdentityLiveness
• ListServicesByTag
• ListIdentitiesByTag
• ListServicePoliciesByTag
• UpdateService

Also add backwards-compatible fields needed by future implementations:

• tag maps on created OpenZiti resources where appropriate
• additional role attributes on agent/app/device identity creation requests

Prefer additional_role_attributes over replacing base role_attributes, so existing callers do not need to understand base OpenZiti role conventions.

Contract requirements

• Use existing repository package and go_package conventions.
• Use package names under agynio.api.*.v1.
• Gateway protos should follow existing Gateway proto style and re-use service request/response messages where appropriate.
• ListMemberGroupsBatch must remain internal-only and must not appear in Gateway proto.
• CreateTunnelCredentialResponse must include one-time enrollment_jwt.
• GetTunnelCredential and ListTunnelCredentials responses must not expose enrollment_jwt.
• Read-side tunnel credential messages should expose enrollment_jwt_revealed metadata.
• Private resource ports must be repeated numeric ports, documented as 1..65535; no port ranges in v1.
• PrivateResourceAccess must support principal types: agent, user, app, group.
• Events should be minimal trigger payloads; do not embed full resource state.
• Ziti Management additions must be backwards-compatible proto changes.

Out of scope

• No service implementation.
• No DB migrations.
• No NATS deployment.
• No Gateway handler implementation.
• No OpenFGA model change in this PR.
• No generated downstream client updates outside this repo.

Acceptance criteria

• New proto files follow existing package and go_package conventions.
• Gateway protos follow existing style.
• buf lint passes.
• Buf breaking check passes if configured locally/CI.
• ListMemberGroupsBatch is not exposed through Gateway.
• Tunnel JWT create/read behavior is represented correctly in messages.
• Private resource ports and principal types match architecture.
• Ziti Management additions are backwards-compatible.