What does this PR do?

Adds the POST /v2/apps.getApp endpoint, which retrieves a single app by its unique identifier within the caller's workspace.

The handler looks up the app by workspace ID and app ID, then checks that the root key holds a read_app permission scoped to either the specific project (project.<project_id>.read_app) or all projects (project.*.read_app). If the app is not found or the key lacks the required permission, the response is an identical 404 — preventing an unauthorized caller from probing which apps exist in the workspace.

Supporting changes include:

• New err:unkey:data:app_not_found error code with a corresponding documentation page
• New ReadApp RBAC action type and read_app permission entries in the dashboard root-key dialog (workspace-wide and per-project)
• New FindAppByWorkspaceAndId SQL query and generated code
• OpenAPI schema additions: App shared component, V2AppsGetAppRequestBody, and V2AppsGetAppResponseBody
• app_not_found mapped to HTTP 404 in the error-handling middleware

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Chore (refactoring code, technical debt, workflow improvements)
• Enhancement (small improvements)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How should this be tested?

• 200: Create a project and app, call apps.getApp with a root key holding project.*.read_app — expect the full app object returned.
• 400: Send requests with a missing appId, one that is too short, contains invalid characters, or exceeds the maximum length — expect 400 with invalid_input error type.
• 401: Call the endpoint with an invalid bearer token — expect 401.
• 403 → 404: Call with a root key that lacks read_app against a real app — expect 404 with no app ID in the response body.
• Existence oracle: Query a real app and a nonexistent app ID with an unauthorized key — both must return 404 with byte-identical error payloads (excluding the per-request ID).
• 404: Query an unknown app ID or an app belonging to a different workspace — expect 404.

Checklist

Required

• Filled out the "How to test" section in this PR
• Read Internal Workflow Guide
• Self-reviewed my own code
• Commented on my code in hard-to-understand areas
• Ran pnpm build
• Ran pnpm fmt
• Ran mise run fmt
• Checked for warnings, there are none
• Removed all console.logs
• Merged the latest changes from main onto my branch with git pull origin main
• My changes don't cause any responsiveness issues

Appreciated

• If a UI change was made: Added a screen recording or screenshots to this PR
• Updated the Unkey Docs if changes were necessary