feat(identity): add IdentityService proto definition (#1332)

* feat(identity): add IdentityService proto definition

Introduces api/proto/meridian/identity/v1/identity.proto with:
- Identity, RoleAssignment, and Invitation entity messages
- IdentityStatus and Role enums (UNSPECIFIED zero values, fully commented)
- IdentityService with 16 unary RPCs covering CRUD, authentication,
  password management, role management, invitation workflow, and
  lifecycle control (suspend/reactivate)
- buf.validate annotations on all request fields
- google.api.http annotations for REST transcoding on all RPCs
- OpenAPI swagger metadata matching project conventions

Passes buf lint (MINIMAL, BASIC, STANDARD, COMMENTS, UNARY_RPC) and
go build with generated stubs.

* fix(identity): use IGNORE_IF_ZERO_VALUE for optional email in UpdateIdentityRequest

The email field in UpdateIdentityRequest uses email validation but partial
updates that omit email would fail against the proto3 empty string default.
Apply IGNORE_IF_ZERO_VALUE so the email constraint is only enforced when
a non-empty value is provided.

* fix(identity): address CodeRabbit review feedback

- Add reason field to ReactivateIdentityRequest for audit trail
  consistency with SuspendIdentityRequest
- Add identity_id to RevokeRoleRequest and update REST path to nested
  pattern /v1/identities/{identity_id}/roles/{role_assignment_id},
  matching GrantRole and ListRoleAssignments path structure

* fix(identity): address security feedback on auth response and actor IDs

- Replace string failure_reason with AuthenticationFailureReason enum in
  AuthenticateResponse to prevent exposing account state to potential
  attackers via detailed error messages; detailed reasons go to audit logs
- Remove *_by (granted_by, revoked_by, invited_by, suspended_by,
  reactivated_by) from all request messages; actor identity must come from
  the authenticated principal in the server-side interceptor, not from
  client-supplied payload which can be forged
- Add reason field to SuspendIdentityRequest and ReactivateIdentityRequest
  messages (audit trail, not actor attribution)

* fix(identity): override global Bearer security for pre-auth endpoints

Add openapiv2_operation security: {} overrides to the five RPCs that
are pre-authentication flows and must not require a Bearer token in
the generated OpenAPI spec:
- Authenticate
- SetPassword
- RequestPasswordReset
- CompletePasswordReset
- AcceptInvitation

The global Bearer security definition remains but is overridden per-RPC
for these endpoints, preventing documentation mismatch that would block
unauthenticated clients from calling these endpoints.

* fix(identity): harden credential management endpoint security

SetPassword:
- Replace identity_id with token in SetPasswordRequest so the
  endpoint requires proof-of-possession of the invitation token
  rather than just a guessable identity ID; server resolves the
  target identity from the token server-side
- Update REST path from /v1/identities/{identity_id}/password to
  /v1/identities/password (no path param needed)

ChangePassword:
- Remove identity_id from ChangePasswordRequest; the target identity
  must be derived from the authenticated principal, not caller-supplied
  payload that can target arbitrary identities
- Update REST path from /v1/identities/{identity_id}/password to
  /v1/identities/me/password to reflect self-service semantics

---------

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs