feat(api)!: standardize all list endpoints with pagination wrappers (#128)

* feat(api)!: standardize all list endpoints with pagination wrappers

BREAKING CHANGE: All list endpoints now return wrapped responses with
pagination metadata instead of raw arrays.

New response format:
{
  "<items>": [...],
  "total": <total count before pagination>,
  "limit": <requested limit>,
  "offset": <requested offset>
}

Changes include:
- Add 13 new response schemas to OpenAPI spec (ListThreatModelsResponse,
  ListThreatsResponse, ListDiagramsResponse, ListDocumentsResponse,
  ListNotesResponse, ListAssetsResponse, ListRepositoriesResponse,
  ListWebhookSubscriptionsResponse, ListWebhookDeliveriesResponse,
  ListUserQuotasResponse, ListWebhookQuotasResponse, ListAddonQuotasResponse,
  ListClientCredentialsResponse)
- Fix ListAdministratorsResponse to include limit/offset fields
- Add Count() methods to all stores for proper total calculation
- Update all list endpoint handlers to use wrapped response format
- Add pagination support to /me/client_credentials endpoint
- Fix missing filter implementations (status, status_updated_after,
  status_updated_before in threat models; addon_id in invocations)
- Update all unit and integration tests for new response format

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(api): add missing OpenAPI responses and Configuration tag

Add 429 rate limit responses to config and admin settings endpoints,
400 validation responses where missing, and define Configuration tag.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(api): add missing OpenAPI examples and fix schema type

Add examples to all List*Response pagination properties and array
fields, endpoint media types, and migrate response. Fix missing
type in JsonPatchDocument array items schema.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(test): update Postman collections for pagination wrapper responses

Update test assertions to handle new list endpoint response format with
pagination wrappers (e.g., {threat_models: [...], total, limit, offset})
instead of raw arrays. Add update script for future schema migrations.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* chore(deps): remove unused godotenv dependency

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(api): rename jwks_url to jwks_uri for RFC 9728 compliance

The OAuthProtectedResourceMetadata schema incorrectly used jwks_url
instead of the RFC 9728-specified field name jwks_uri.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* feat(test): add CATS false positive rules for DELETE /me and reserved settings

Add two new false positive detection rules to parse-cats-results.py:

- DELETE_ME_CHALLENGE: DELETE /me returns 400 without challenge param.
  This is correct behavior - the two-step deletion flow requires the
  challenge parameter for safety.

- ADMIN_SETTINGS_RESERVED: Reserved setting keys (e.g., "migrate")
  return 400. This is correct - "migrate" is reserved for the
  POST /admin/settings/migrate endpoint.

These rules reduce false positives in CATS fuzzing results by correctly
identifying expected API behavior.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(api): correct column name in settings list query

The SettingsService.List() method was using Order("key") but the
database column is "setting_key", causing 500 errors on GET /admin/settings.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: ericfitz

.version

@@ -1,5 +1,5 @@
 {
   "major": 1,
-  "minor": 1,
-  "patch": 3
+  "minor": 2,
+  "patch": 4
 }