Add permission-gated SPAPI credential lookup for mail services

[Copilot]

SPAPI credential lookups currently return active users without considering application-level authorization, which leaves IMAP/SMTP consumers unable to gate access on MNUser permissions. This change adds a permission-aware credential lookup variant for Dovecot/OpenSMTPD-style integrations while preserving the existing unscoped function.

• What changes

  • Added authserver_get_credentials(varchar, varchar) as a permission-gated overload of the existing SPAPI credential lookup.
  • The new variant only returns credentials when the owning MNUser has the requested permission, either directly or through an assigned group.
  • The existing single-argument authserver_get_credentials(varchar) behavior remains unchanged.

• Permission evaluation

  • Added a DB-side helper to resolve application permissions by permission_name.
  • Checks both:
    • direct user permissions (app_permissions)
    • inherited group permissions (app_groups -> group_permissions)
  • Applies the same authorization gate to both mailbox logins and service-user logins.

• SPAPI integration

  • Registered the new overloaded function in SPAPI install/check/grant/revoke handling so database users can execute it like the rest of the stored procedure API.
  • Corrected signature aggregation in SPAPI install/access checks so all registered functions are evaluated.

• Coverage and docs

  • Added tests for:
    • direct permission access
    • group-inherited permission access
    • denied access when the permission is missing
  • Updated the SPAPI function reference in README.rst.

• Usage

  SELECT username, password, primary_alias
  FROM authserver_get_credentials('svc-alice', 'mail.smtp');