bundle: fix genie_space permissions URL prefix (stacked on #5282)

[longchass]

Draft — not requesting merge. Stacked on #5282 to make CI runnable on the fix. Canonical discussion is on #5282 (review comment forthcoming).

Summary

Five-line fix on top of #5282. The genie_space permissions prefix was registered as /genie/spaces/ — a 4-segment path that parsePermissionsID reads as RequestObjectType="genie/spaces", routing to:

PUT /api/2.0/permissions/genie/spaces/<id>

That endpoint does not exist (404 ENDPOINT_NOT_FOUND, which is what motivated 41b19bb5b "reject genie_space permissions during plan"). The actual production path is 3-segment:

PUT /api/2.0/permissions/genie/<id>

with RequestObjectType="genie". This matches:

• the SDK iam path builder at service/iam/impl.go (uses "/api/2.0/permissions/%v/%v")
• the CLI's own databricks permissions get/set genie <id> command — genie is listed as a valid REQUEST_OBJECT_TYPE in cmd/workspace/permissions/permissions.go:100
• production usage via databricks permissions set genie <id> --json … (I run this in a Genie-space Git-versioning tool against a real workspace daily)

The acceptance test passes today only because libs/testserver/permissions.go has the same "genie/spaces": "genie-space" entry — both halves of the wire format agree on the wrong path, so production breakage is invisible in CI.

If #5282 ships with /genie/spaces/, any deploy with permissions: on a genie_space will 404 against production. Since e4809d65a "Agent review" already deleted the rejection mutator and added the positive test, this just makes the positive test exercise the right URL.

Changes (5 lines)

File	Change
bundle/direct/dresources/permissions.go	"/genie/spaces/" → "/genie/"
libs/testserver/permissions.go	testserver whitelist "genie/spaces" → "genie"
bundle/direct/dresources/all_test.go	fixture ObjectID matches new prefix
acceptance/.../current_can_manage/out.requests.deploy.direct.json	regenerated via -update: PUT /api/2.0/permissions/genie/[FOO_ID]
acceptance/.../current_can_manage/out.plan.direct.json	regenerated: plan references /genie/${...id}

Test plan

• go test ./bundle/... ./libs/testserver/... — pass
• go test ./acceptance -run 'TestAccept/bundle/resources/permissions/genie_spaces' — pass after -update
• ./task lint-q — 0 issues
• CI on this PR (the reason for opening it)

Drive-by observation (out of scope for this PR)

Independent of this fix, two acceptance fixtures on #5282 reproduce as stale without my changes:

• acceptance/bundle/resources/genie_spaces/simple/out.plan.json — serial: 7 vs actual 1
• acceptance/bundle/refschema/out.fields.txt — missing resources.genie_spaces.*.etag

Both look like they need ./task test-update from a clean rebase. Flagging here rather than fixing — out of scope.

Closes when

#5282 lands. Either cherry-pick 6767037 directly, or this becomes a normal PR against main after #5282 merges.

[github-actions]

Approval status: pending

/acceptance/bundle/ - needs approval

Files: acceptance/bundle/resources/permissions/genie_spaces/current_can_manage/out.plan.direct.json, acceptance/bundle/resources/permissions/genie_spaces/current_can_manage/out.requests.deploy.direct.json
Suggested: @denik
Also eligible: @janniklasrose, @shreyas-goenka, @andrewnester, @pietern, @anton-107, @lennartkats-db

/bundle/ - needs approval

Files: bundle/direct/dresources/all_test.go, bundle/direct/dresources/permissions.go
Suggested: @denik
Also eligible: @janniklasrose, @shreyas-goenka, @andrewnester, @pietern, @anton-107, @lennartkats-db

General files (require maintainer)

Files: libs/testserver/permissions.go
Based on git history:

• @denik -- recent work in bundle/direct/dresources/, libs/testserver/

_{Any maintainer (@andrewnester, @anton-107, @denik, @pietern, @shreyas-goenka, @simonfaltum, @renaudhartert-db) can approve all areas.
See OWNERS for ownership rules.}

[longchass]

@janniklasrose Hi, just proposing this fix on top of your PR, cheers.