fix(security): also tenant-scope /apps/<app_id>/trace AppTraceApi

The AppTraceApi GET/POST endpoints in app.py have the same missing-
tenant-check bug as ops_trace.py, on the same advisory. Apply the
same @get_app_model decorator pattern here too.

Bundled into this PR per zafido's draft patch — same advisory,
same bug class, same fix pattern.

Refs: GHSA-48xc-wmw8-3jr3
Co-Authored-By: Ido Shani <ido@zafran.io>

api/controllers/console/app/app.py

@@ -840,10 +840,11 @@ class AppTraceApi(Resource):
     @setup_required
     @login_required
     @account_initialization_required
-    def get(self, app_id):
+    @get_app_model
+    def get(self, app_model):
         """Get app trace"""
         with session_factory.create_session() as session:
-            app_trace_config = OpsTraceManager.get_app_tracing_config(app_id, session)
+            app_trace_config = OpsTraceManager.get_app_tracing_config(app_model.id, session)
 
         return app_trace_config
 
@@ -857,12 +858,13 @@ class AppTraceApi(Resource):
     @login_required
     @account_initialization_required
     @edit_permission_required
-    def post(self, app_id):
+    @get_app_model
+    def post(self, app_model):
         # add app trace
         args = AppTracePayload.model_validate(console_ns.payload)
 
         OpsTraceManager.update_app_tracing_config(
-            app_id=app_id,
+            app_id=app_model.id,
             enabled=args.enabled,
             tracing_provider=args.tracing_provider,
         )