feat!: move config & settings under /api/v1/environments/{envSlug}/...

P3A of the taxonomy migration. Env-scoped config and settings endpoints
now live under the env-prefixed URL shape, making env a first-class
path segment instead of a query param. Agent-authoritative config is
split off into a dedicated endpoint so agent env comes from the JWT
only — never spoofable via URL.

Server:
- ApplicationConfigController: @RequestMapping("/api/v1/environments/
  {envSlug}"). Handlers use @EnvPath Environment env, appSlug as
  @PathVariable. Removed the dual-mode resolveEnvironmentForRead —
  user flow only; agent flow moved to AgentConfigController.
- AgentConfigController (new): GET /api/v1/agents/config. Reads
  instanceId from JWT subject, resolves (app, env) from registry,
  returns AppConfigResponse. Registry miss → falls back to JWT env
  claim for environment, but 404s if application cannot be derived
  (no other source without registry).
- AppSettingsController: @RequestMapping("/api/v1/environments/
  {envSlug}"). List at /app-settings, per-app at /apps/{appSlug}/
  settings. Access class-wide PreAuthorize preserved (ADMIN/OPERATOR).

SPA:
- commands.ts: useAllApplicationConfigs, useApplicationConfig,
  useUpdateApplicationConfig, useProcessorRouteMapping,
  useTestExpression — rewritten URLs to /environments/{env}/apps/
  {app}/... shape. environment now required on every call. Query
  keys include environment so cache is env-scoped.
- dashboard.ts: useAppSettings, useAllAppSettings, useUpdateAppSettings
  rewritten.
- TapConfigModal: new required environment prop; callers updated.
- RouteDetail, ExchangesPage: thread selectedEnv into test-expression
  and modal.

Config changes in SecurityConfig for the new shape landed earlier in
P0.2; no security rule changes needed in this commit.

BREAKING CHANGE: /api/v1/config/** and /api/v1/admin/app-settings/**
paths removed. Agents must use /api/v1/agents/config instead of
GET /api/v1/config/{app}; users must use /api/v1/environments/{env}/
apps/{app}/config and /api/v1/environments/{env}/apps/{app}/settings.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

ui/src/api/queries/dashboard.ts

@@ -127,9 +127,9 @@ export interface AppSettings {
 
 export function useAppSettings(appId?: string, environment?: string) {
   return useQuery({
-    queryKey: ['app-settings', appId, environment],
+    queryKey: ['app-settings', environment, appId],
     queryFn: () => fetchJson<AppSettings>(
-      `/admin/app-settings/${appId}?environment=${encodeURIComponent(environment!)}`),
+      `/environments/${encodeURIComponent(environment!)}/apps/${encodeURIComponent(appId!)}/settings`),
     enabled: !!appId && !!environment,
     staleTime: 60_000,
   });
@@ -139,7 +139,7 @@ export function useAllAppSettings(environment?: string) {
   return useQuery({
     queryKey: ['app-settings', 'all', environment],
     queryFn: () => fetchJson<AppSettings[]>(
-      `/admin/app-settings?environment=${encodeURIComponent(environment!)}`),
+      `/environments/${encodeURIComponent(environment!)}/app-settings`),
     enabled: !!environment,
     staleTime: 60_000,
   });
@@ -151,7 +151,7 @@ export function useUpdateAppSettings() {
     mutationFn: async ({ appId, environment, settings }:
         { appId: string; environment: string; settings: Omit<AppSettings, 'appId' | 'createdAt' | 'updatedAt'> }) => {
       const res = await fetch(
-        `${config.apiBaseUrl}/admin/app-settings/${appId}?environment=${encodeURIComponent(environment)}`,
+        `${config.apiBaseUrl}/environments/${encodeURIComponent(environment)}/apps/${encodeURIComponent(appId)}/settings`,
         {
           method: 'PUT',
           headers: { ...authHeaders(), 'Content-Type': 'application/json' },