feat: Comprehensive API key management system

Implements issue #35 - API Key Management

Features:
- Secure API key generation (mcp_ prefix + 32 random bytes)
- Key prefix for identification without exposing full key
- SHA-256 hashing for secure storage
- Constant-time comparison for validation

Key capabilities:
- Per-key rate limits
- Permission-based access control
- Scope-based authorization (servers:read, etc.)
- Key expiration with configurable TTL
- Key revocation
- Key regeneration without changing metadata
- Usage tracking (last used time/IP)

API Endpoints:
- POST /api/v1/api-keys - Create new key
- GET /api/v1/api-keys - List all keys
- GET /api/v1/api-keys/:id - Get key details
- PUT /api/v1/api-keys/:id - Update key settings
- DELETE /api/v1/api-keys/:id - Revoke key
- POST /api/v1/api-keys/:id/regenerate - Regenerate secret

Middleware:
- APIKeyMiddleware for validating requests
- Automatic last-used tracking
- Context injection for downstream handlers

Database:
- Migration 007: Enhances api_keys table
- Indexes for prefix lookup and org queries

Closes #35

Author: bad-antics