[Service Accounts] US.2-T.1 — Auto-provision service account on tenant creation with correct group/role/capabilities & use it on the OpenAEV agent

[RomuDeuxfois]

📖 User Story

As a platform operator,
When I create a tenant,
Then a service account is automatically provisioned and assigned with the correct group/role/capabilities (US.1),
So that OpenAEV agent technical integrations can operate immediately without manual account setup.

🎯 Acceptance Criteria

• A service account is automatically created every time a new tenant is provisioned
• The service account is assigned the correct group aligned with the tenant
• The service account is assigned the correct role with appropriate capabilities (including Agent Runtime Access from US.1)
• This service account is used for OpenAEV agent

AC1:
GIVEN an authorized account for installing OpenAEV Agent
WHEN I display the agents installation screen in OpenAEV
THEN I can see a Installation link to install command to copy/paste onto target systems with the related service account token
AND the generated install command contains the service account API token (not the current logged in admin account API

AC2:
GIVEN an inject
WHEN the run command is generated by the backend
THEN the API token of the respective related service account of each target agent is used in the generated execution command