refactor(idp): make NetBird single source of truth for authorization

Remove duplicate authorization data from Zitadel IdP. NetBird now stores
all authorization data (account membership, invite status, roles) locally,
while Zitadel only stores identity information (email, name, credentials).

Changes:
- Add PendingInvite field to User struct to track invite status locally
- Simplify IdP Manager interface: remove metadata methods, add GetAllUsers
- Update cache warming to match IdP users against NetBird DB
- Remove addAccountIDToIDPAppMeta and all wt_* metadata writes
- Delete legacy IdP managers (Auth0, Azure, Keycloak, Okta, Google
  Workspace, JumpCloud, Authentik, PocketId) - only Zitadel supported

management/server/user_test.go

@@ -563,7 +563,7 @@ func TestUser_InviteNewUser(t *testing.T) {
 	}
 
 	idpMock := idp.MockIDP{
-		CreateUserFunc: func(_ context.Context, email, name, accountID, invitedByEmail string) (*idp.UserData, error) {
+		CreateUserFunc: func(_ context.Context, email, name string) (*idp.UserData, error) {
 			newData := &idp.UserData{
 				Email: email,
 				Name:  name,
@@ -574,7 +574,7 @@ func TestUser_InviteNewUser(t *testing.T) {
 
 			return newData, nil
 		},
-		GetAccountFunc: func(_ context.Context, accountId string) ([]*idp.UserData, error) {
+		GetAllUsersFunc: func(_ context.Context) ([]*idp.UserData, error) {
 			return mockData, nil
 		},
 	}
@@ -1068,7 +1068,7 @@ func TestDefaultAccountManager_ExternalCache(t *testing.T) {
 	am := DefaultAccountManager{
 		Store:              store,
 		eventStore:         &activity.InMemoryEventStore{},
-		idpManager:         &idp.GoogleWorkspaceManager{}, // empty manager
+		idpManager:         &idp.MockIDP{}, // empty manager
 		cacheLoading:       map[string]chan struct{}{},
 		permissionsManager: permissionsManager,
 	}