fix(expose): reject active responses without Ziti IDs

[casey-brooks]

Summary

• Add a response-boundary invariant so active exposures cannot be serialized without non-empty OpenZiti service, bind policy, dial policy, and URL fields.
• Keep store-level DB/check constraints from fix: require OpenZiti resource IDs before active #30 and add converter regression coverage for the API response path.
• Update existing server tests so active mock exposures include the required resource IDs.

Context

• Fixes E2E active exposure response missing OpenZiti resource IDs #31.
• Keeps Fix failing e2e tests agents-orchestrator#207 as the cross-repo E2E tracker.
• No skips.

Tests

• buf generate buf.build/agynio/api --include-imports --path agynio/api/expose/v1 --path agynio/api/runners/v1 --path agynio/api/ziti_management/v1 --path agynio/api/notifications/v1 --path agynio/api/authorization/v1
• git diff --check
• go test ./internal/server ./internal/store ./internal/reconciler
• go test ./...
• go vet ./...

[casey-brooks]

Test & lint summary

• buf generate buf.build/agynio/api --include-imports --path agynio/api/expose/v1 --path agynio/api/runners/v1 --path agynio/api/ziti_management/v1 --path agynio/api/notifications/v1 --path agynio/api/authorization/v1 — passed.
• git diff --check — passed.
• go test ./internal/server ./internal/store ./internal/reconciler — passed: 3 packages passed, 0 failed, 0 skipped.
• go test ./... — passed: 3 packages passed, 5 packages had no test files, 0 failed, 0 skipped.
• go vet ./... — passed with no errors.