fix(spec): correct OpenAPI spec issues in api.yaml

Summary

Four spec fixes across AuthenticatorEnrollmentPolicyRuleConditions, NetworkZoneLocationArray, OAuth2ClientJsonEncryptionKeyRequest, and OAuth2ClientJsonSigningKeyRequest.

Changes

1. AuthenticatorEnrollmentPolicyRuleConditions — add missing app field

The app condition was present in other policy rule condition schemas (e.g. OktaSignOnPolicyRuleConditions) but was missing from AuthenticatorEnrollmentPolicyRuleConditions, making it impossible to set app-scoped conditions on authenticator enrollment policy rules.

+ app:
+   $ref: '#/components/schemas/AppAndInstancePolicyRuleCondition'

2. NetworkZoneLocationArray — fix include/exclude property descriptions

include and exclude had their $ref and description as sibling keys, which is invalid OpenAPI (a $ref ignores all siblings). Wrapped in allOf so the description is properly applied alongside the referenced schema.

3. OAuth2ClientJsonEncryptionKeyRequest — add missing alg field

The addJwk endpoint uses a oneOf of OAuth2ClientJsonSigningKeyRequest and OAuth2ClientJsonEncryptionKeyRequest. The code generator merges properties from both into the AddJwkRequest wrapper class. Because alg was absent from the encryption key schema, it was dropped from the merged class — causing MissingMethodException failures in ApplicationSSOPublicKeysIT when calling .alg("RSA-OAEP").

4. OAuth2ClientJsonSigningKeyRequest — fix discriminator and required indentation

discriminator and required were incorrectly nested inside the properties: block (treated as property names by the parser). Moved both to schema level so the OpenAPI code generator correctly generates Java inheritance for OAuth2ClientJsonWebKeyRsaRequest and OAuth2ClientJsonWebKeyECRequest. The now-redundant kty overrides in the sub-schemas were removed to avoid incompatible return type errors in the generated Java.