Add admin-scoped user API tokens

[adithya1012]

Summary
This PR introduces a new scoped API token system for individual users, intended for PulseCam and future external client access to protected workflows.
It is fully separate from the existing Better Auth website API key flow and does not modify that implementation.

What’s Included

• Added a new Prisma model for user-scoped tokens:
  • schema.prisma
  • migration.sql
• Added typed token permissions with two allowed scopes:
  • issue_view
  • upload
  • api-token-permissions.ts
• Added token issuing/verifying utility using Node crypto + Prisma:
  • Generates pv_live_ tokens
  • Stores hash only (SHA-256) + short prefix
  • Supports expiry, revocation, permission checks, and last-used tracking
  • api-token-utils.ts

Backend / API

• Added new admin token routes under backend admin namespace:
  • Issue token
  • List tokens (without raw token/hash exposure)
  • List users for token assignment
  • Revoke token (soft delete via revokedAt)
  • admin-api-tokens.js
• Added backend config support for internal admin route authorization and frontend internal routing:
  • 00-config.js

Frontend / Admin

• Added admin server actions for create/list/revoke/list-users flows:
  • api-token-actions.ts
• Added internal admin API endpoints used by backend route forwarding:
  • route.ts
  • frontend/app/api/internal/admin/api-tokens/[id]/revoke/route.ts
• Extended Admin UI with an API Tokens tab (while preserving existing API Keys flow):
  • admin-client.tsx
  • admin-api-tokens.tsx

Security / Behavior Notes

• Raw token is returned only once at creation time.
• Token hash is never returned in list responses.
• Revocation is soft-delete only (revokedAt timestamp).
• Permission values are typed and validated against an allowlist.
• Existing Better Auth API key feature remains untouched.

Env / Developer Experience

• Added required env documentation/templating updates so setup works via env files:
  • .example.env
• Updated compose env loading to consume service env files:
  • docker-compose.yml

[mfisher31]

Hey @adithya1012 - how should I go about, locally, creating an admin user? I have the vault running with docker-compose. I set up login with github and then gave myself admin role directly with SQL, like this:

me@mac pulsevault % docker exec -it pulsevault-postgres psql -U pulsevault -d pulsevault -c \
  "UPDATE \"user\" SET role = 'admin' WHERE email = 'mfisher@******.net';"
UPDATE 1

After doing this, I log out, and back in, but do not see anything aside from "API Keys for other apps"

Earlier this morning and last night, I hacked/disabled the auth so that it just showed the admin interface without a login.... doing it that way I could see two tabs, Api keys, and API tokens on the Admin dashboard.

[mfisher31]

BTW, I don't think it's a bug in the app, but rather me not setting up the dev environment correctly, or something, not sure.