perf(actionsv2): execution target router (#10564)

# Which Problems Are Solved

The event execution system currently uses a projection handler that
subscribes to and processes all events for all instances. This creates a
high static cost because the system over-fetches event data, handling
many events that are not needed by most instances. This inefficiency is
also reflected in high "rows returned" metrics in the database.

# How the Problems Are Solved

Eliminate the use of a project handler. Instead, events for which
"execution targets" are defined, are directly pushed to the queue by the
eventstore. A Router is populated in the Instance object in the authz
middleware.

- By joining the execution targets to the instance, no additional
queries are needed anymore.
- As part of the instance object, execution targets are now cached as
well.
- Events are queued within the same transaction, giving transactional
guarantees on delivery.
- Uses the "insert many fast` variant of River. Multiple jobs are queued
in a single round-trip to the database.
- Fix compatibility with PostgreSQL 15

# Additional Changes

- The signing key was stored as plain-text in the river job payload in
the DB. This violated our [Secrets
Storage](https://zitadel.com/docs/concepts/architecture/secrets#secrets-storage)
principle. This change removed the field and only uses the encrypted
version of the signing key.
- Fixed the target ordering from descending to ascending.
- Some minor linter warnings on the use of `io.WriteString()`.

# Additional Context

- Introduced in https://github.com/zitadel/zitadel/pull/9249
- Closes https://github.com/zitadel/zitadel/issues/10553
- Closes https://github.com/zitadel/zitadel/issues/9832
- Closes https://github.com/zitadel/zitadel/issues/10372
- Closes https://github.com/zitadel/zitadel/issues/10492

---------

Co-authored-by: Stefan Benz <46600784+stebenz@users.noreply.github.com>
(cherry picked from commit a9ebc06c77)

internal/command/action_v2_target_test.go

@@ -9,9 +9,9 @@ import (
 	"github.com/stretchr/testify/assert"
 
 	"github.com/zitadel/zitadel/internal/crypto"
-	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
+	target_domain "github.com/zitadel/zitadel/internal/execution/target"
 	"github.com/zitadel/zitadel/internal/id"
 	"github.com/zitadel/zitadel/internal/id/mock"
 	"github.com/zitadel/zitadel/internal/repository/target"
@@ -130,7 +130,7 @@ func TestCommands_AddTarget(t *testing.T) {
 						target.NewAddedEvent(context.Background(),
 							target.NewAggregate("id1", "instance"),
 							"name",
-							domain.TargetTypeWebhook,
+							target_domain.TargetTypeWebhook,
 							"https://example.com",
 							time.Second,
 							false,
@@ -153,7 +153,7 @@ func TestCommands_AddTarget(t *testing.T) {
 					Name:       "name",
 					Endpoint:   "https://example.com",
 					Timeout:    time.Second,
-					TargetType: domain.TargetTypeWebhook,
+					TargetType: target_domain.TargetTypeWebhook,
 				},
 				resourceOwner: "instance",
 			},
@@ -177,7 +177,7 @@ func TestCommands_AddTarget(t *testing.T) {
 				ctx: context.Background(),
 				add: &AddTarget{
 					Name:       "name",
-					TargetType: domain.TargetTypeWebhook,
+					TargetType: target_domain.TargetTypeWebhook,
 					Timeout:    time.Second,
 					Endpoint:   "https://example.com",
 				},
@@ -204,7 +204,7 @@ func TestCommands_AddTarget(t *testing.T) {
 				ctx: context.Background(),
 				add: &AddTarget{
 					Name:       "name",
-					TargetType: domain.TargetTypeWebhook,
+					TargetType: target_domain.TargetTypeWebhook,
 					Timeout:    time.Second,
 					Endpoint:   "https://example.com",
 				},
@@ -235,7 +235,7 @@ func TestCommands_AddTarget(t *testing.T) {
 				ctx: context.Background(),
 				add: &AddTarget{
 					Name:             "name",
-					TargetType:       domain.TargetTypeWebhook,
+					TargetType:       target_domain.TargetTypeWebhook,
 					Endpoint:         "https://example.com",
 					Timeout:          time.Second,
 					InterruptOnError: true,
@@ -419,7 +419,7 @@ func TestCommands_ChangeTarget(t *testing.T) {
 					ObjectRoot: models.ObjectRoot{
 						AggregateID: "id1",
 					},
-					TargetType: gu.Ptr(domain.TargetTypeWebhook),
+					TargetType: gu.Ptr(target_domain.TargetTypeWebhook),
 				},
 				resourceOwner: "instance",
 			},
@@ -505,7 +505,7 @@ func TestCommands_ChangeTarget(t *testing.T) {
 							[]target.Changes{
 								target.ChangeName("name", "name2"),
 								target.ChangeEndpoint("https://example2.com"),
-								target.ChangeTargetType(domain.TargetTypeCall),
+								target.ChangeTargetType(target_domain.TargetTypeCall),
 								target.ChangeTimeout(10 * time.Second),
 								target.ChangeInterruptOnError(true),
 								target.ChangeSigningKey(&crypto.CryptoValue{
@@ -529,7 +529,7 @@ func TestCommands_ChangeTarget(t *testing.T) {
 					},
 					Name:                 gu.Ptr("name2"),
 					Endpoint:             gu.Ptr("https://example2.com"),
-					TargetType:           gu.Ptr(domain.TargetTypeCall),
+					TargetType:           gu.Ptr(target_domain.TargetTypeCall),
 					Timeout:              gu.Ptr(10 * time.Second),
 					InterruptOnError:     gu.Ptr(true),
 					ExpirationSigningKey: true,