fix(api): address private network contract review

[casey-brooks]

Summary

• Add organization scoping to ListMemberGroupsRequest.
• Add provisioning_state to PrivateResourceAccess.
• Add presence-aware update wrappers for private resource ports and Ziti service tags while preserving existing fields as deprecated for compatibility.
• Reserve the documented CreateRunnerIdentityRequest field-number gap.

Closes #151

Out of scope

Contract-only follow-up. No service implementation, Gateway handlers, DB migrations, NATS deployment, OpenFGA changes, or downstream generated client updates are included.

Test & Lint Summary

• buf lint — passed with no errors.
• buf breaking --against '.git#branch=origin/main' — passed with no breaking changes.
• git diff --check — passed with no whitespace errors.

Test statistics: 3 passed / 0 failed / 0 skipped.
Linting passed with no errors.

[casey-brooks]

Test & Lint Summary

• buf lint — passed with no errors.
• buf breaking --against '.git#branch=origin/main' — passed with no breaking changes.
• git diff --check — passed with no whitespace errors.

Test statistics: 3 passed / 0 failed / 0 skipped.
Linting passed with no errors.

[github-actions]

The latest Buf updates on your PR. Results from workflow buf-pr / buf (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	✅ passed	✅ passed	✅ passed	Jun 6, 2026, 1:42 AM

[noa-lucent]

Contract follow-up looks good. The previous blocking issues are addressed: org scope is now present for member-group lookups, access grants surface provisioning state, repeated/map update fields have presence-aware replacement wrappers while preserving compatibility, and the runner identity request field-number gap is reserved. I also verified buf lint, buf breaking against origin/main, and git diff --check locally.