feat: respond to OpAMP RequestInstanceUid flag with agent_identification for newly enrolled agents

[michel-laterman]

What is the problem this PR solves?

Fleet-server ignores the AgentToServer.flags.RequestInstanceUid flag and does not respond with ServerToAgent.agent_identification, which is required by the OpAMP spec.

How does this PR solve the problem?

When an agent sets the RequestInstanceUid flag, fleet-server treats the message as a new enrollment regardless of whether an agent with the incoming instance_uid already exists:

1. handleMessage checks the flag early and, when set, skips the findEnrolledAgent lookup entirely.
2. enrollAgent generates a fresh UUID v7 and uses it as the agent's ID; the new agent document is stored in .fleet-agents under that UID.
3. The response includes AgentIdentification.NewInstanceUid with the generated UID. The agent is expected to adopt the new UID for subsequent messages per the spec.
4. The response's InstanceUid still echoes the incoming instance_uid per the spec.

If agent_disconnect is set together with RequestInstanceUid (or for an unenrolled agent), fleet-server returns a BadRequest error response.

Reassigning an already-enrolled agent's instance UID without re-enrollment is intentionally out of scope for this change. Doing so would require decoupling the .fleet-agents document _id from instance_uid, which today are the same value (consistent with the rest of fleet-server).

How to test this PR locally

1. Configure an OpenTelemetry Collector to connect to fleet-server over OpAMP (see docs/opamp.md).
2. Send an AgentToServer message with flags set to 1 (RequestInstanceUid). The response should include agent_identification.new_instance_uid with a valid UUID v7 distinct from the incoming instance_uid, and a new document in .fleet-agents should exist under the generated UID.
3. Confirm a message without the flag continues to behave as before (existing agents check in normally; unknown agents auto-enroll under the incoming UID).

Design Checklist

• I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
• I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
• I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

• I have added tests that prove my fix is effective or that my feature works
• I have made corresponding changes to the documentation
• I have added an entry in ./changelog/fragments using the changelog tool

Related issues

• Closes [OpAMP] fleet-server should respond to AgentToServer.flags.RequestInstanceUid #6789

[mergify]

This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[github-actions]

🔍 Preview links for changed docs

• docs/opamp.md

[github-actions]

✅ Vale Linting Results

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

[ycombinator]

Could we set instanceUID here to &uid? I think it might simplify some of the code later.

[michel-laterman]

As per the spec, the response's instance_uid value must match the request's even if the request has the new instance_uid flag set