Implement GitHub App provisioning via Manifest flow

[G0maa]

Goal

Each self-hosted Marsa install creates its own GitHub App near one-click, via the GitHub App Manifest flow (a single central App can't serve installs on arbitrary operator-chosen domains).

Acceptance Criteria

• Generate an App manifest from the install's configured domain (webhook URL + OAuth callback URL)
• Redirect the operator to GitHub's pre-filled app-creation page
• Handle the conversion callback (POST /app-manifests/{code}/conversions)
• Persist App id, client_id, client_secret, webhook_secret, and private key (PEM) securely per install (encrypted at rest)

Notes

Foundation for #22 (login) and #23 (deploy). See AgDR-0005. Parent: #23.

Migration

This feature creates the project's first DB table (github_app). Schema migration is tracked
on this ticket (label migration) rather than a separate ticket — additive new table, zero
blast radius.

Migration AgDR: docs/agdr/AgDR-0007-migration-github-app-table.md
Encryption AgDR: docs/agdr/AgDR-0006-github-app-credential-storage.md