Add server-issued oa_uid issuance for first app_open

[sqsge]

Summary

This PR implements the server-side oa_uid issuance slice for the first app_open.

PR #166 already introduced oa_uid into downstream storage and attribution paths, but the server still had no way to issue an oa_uid when a client did not already have one. This PR fills that gap for #233.

What Changes

• allow first app_open requests to omit oa_uid
• generate and return an oa_uid server-side for that first app_open
• preserve existing client-supplied oa_uid behavior
• persist first-open oa_uid issuance keyed by event_uid
• reuse the same issued oa_uid on retried first-open requests
• normalize persisted oa_uid values to strings before they flow back into the event payload / Kafka serialization
• add focused regression coverage
• update docs for the first app_open flow

Why event_uid

The first-open issuance path needs to be idempotent for retries.

Using event_uid as the issuance key keeps the scope narrow and matches the existing contract where event_uid is already used as the event deduplication key. That lets retried first-open requests reuse the same issued oa_uid instead of generating a new one.

Scope

This PR intentionally stays within the narrower server-side issuance slice from #233.

It does not attempt to solve the broader identity lifecycle questions from #232, such as cross-install or reinstall semantics.

Testing

Passed:

• HOME=/tmp/oa-home PYTHONPATH=apps/postback-api python -m unittest apps/postback-api/tests/test_issue_233.py apps/postback-api/tests/test_oa_uid.py

Covered by tests:

• first app_open without oa_uid returns a server-issued identifier
• existing client-supplied oa_uid behavior still works
• non-app_open events still require oa_uid
• first-open retries reuse the same issued oa_uid
• insert-race fallback reuses the already-persisted oa_uid
• persisted UUID values are normalized to strings before serialization