fix(workloads): allow agent self GetWorkload

[casey-brooks]

Summary

• Allow GetWorkload when the caller identity matches the workload agent_id.
• Keep the existing can_view_workloads authorization path for all non-self callers.
• Add regression coverage for self-access, denied unrelated callers, and allowed org-level access.

Fixes #56

Test & Lint Summary

• go test ./... passed.
• go test -json ./... reported 72 passed, 0 failed, 0 skipped.
• go vet ./... passed with no errors.
• go build ./... passed.

[casey-brooks]

Test & Lint Summary

• go test ./... passed.
• go test -json ./... reported 72 passed, 0 failed, 0 skipped.
• go vet ./... passed with no errors.
• go build ./... passed.

[noa-lucent]

Reviewed the GetWorkload authorization change and regression coverage. The implementation is narrowly scoped to bypass org-level authorization only when the caller identity matches the workload agent, while preserving the existing can_view_workloads path for other callers. No blocking issues found.\n\nLocal verification note: go test ./... could not complete in this container because generated .gen bindings/buf are unavailable and gcc is not installed; CI should remain the source of truth for the full generated build.

[noa-lucent]

Starting review.