Add incident creation API endpoint

[noah-schechter]

Note: This is my first change to Atlos that involves write access and permissions changes. While I've approached this feature thoughtfully, it involves changes to fairly high-risk code paths and so is deserving of an extra layer of scrutiny before merging.

Changes
This PR involves four main types of changes:

• Changes to functions involved in creating media and assessing permissions to support an %APIToken{} instead of a %User{}.
• Changes to the v2 API to handle a new api/v2/incidents/new endpoint.
• Additions of several tests of basic functionality.
• Updates to the API documentation.

Questions
A few implementation notes and questions:

• The endpoint currently handles all attributes, all metadata other than deleted and assignments, and the urls field. A few questions:
  • I'd appreciate your guidance on what is going wrong with the deleted field; I'm not sure why the endpoint isn't handling these values.
  • Let me know if you think it's essential we include assignments; I think this requires a larger change to the cast() usage in Media.changeset/3. We also don't surface users' IDs so this would also require a smaller change to the in-platform API documentation on the Access page.
  • Unlike attributes' value validation, the urls list validation fails silently—an otherwise well-formed API call with "url" => ["foobar"] results in a successful incident creation, but the URL is not archived or added as a piece of source material. Let me know if it's ok to add validation for this at the APIV2Controller layer; I wasn't sure where to add this validation otherwise.

A Note on Regressions
In the course of developing this endpoint, I encountered two previously undocumented bugs. We should fix these, but it's worth noting, both for review of this PR and for root causing of these bugs, that they were not caused by this PR. The two bugs are:

• The incident creation modal flashes for a moment when it initially loads.
• The incident creation modal doesn't display an error message for invalid URLs, but the Create Incident button fails to allow the user to create an incident without invalid URLs, so the user becomes stuck on the incident creation modal.

[netlify]

✅ Deploy Preview for atlos-docs ready!

Name	Link
🔨 Latest commit	2ad6551
🔍 Latest deploy log	https://app.netlify.com/sites/atlos-docs/deploys/67770405fcdba30008d9947e
😎 Deploy Preview	https://deploy-preview-1056--atlos-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[milesmcc]

did not test live, but this approach looks good to me! see minor comments.

[milesmcc]

this function is confusing to me — so much is going on. what is the purpose of this function? to make sure that the user or token can edit media within a project?

[milesmcc]

this function would benefit a lot from either a comment or a rename

[milesmcc]

considering it doesn't operate on projects but media, the name seems confusing at best and wrong at worst

[milesmcc]

👻

[milesmcc]

(to be clear, I wrote this function)

[noah-schechter]

Agree the name is cursed.💀 Just added a short comment to reflect that validate_project validates changes to an incident's project, not the project itself.

[noah-schechter]

(Working on a deeper change to this function so that we actually do validate that the API Token is permitted to edit the incident's project.)