Cut user-owned API keys; redesign subject model

Removes the APIKey primitive entirely (Auth.IssueAPIKey/AuthenticateAPIKey/
RevokeAPIKey, APIKeyStore, Deps.APIKeys, Stores.APIKeys, Tables.APIKeys,
ErrAPIKeyInvalid, AuthMethodAPIKey, Principal.{APIKeyID, Abilities, HasAbility},
prefixAPIKey, RequireAPIKey, and the 6 SQL templates). Migration
0003_drop_api_keys.sql hard-drops authkit_api_keys.

The new subject model: *Principal carries identity only (sessions, JWTs);
*ServiceKey is the only abilities-bearing credential and gains a
HasAbility(name) method. RequireAbility now reads *ServiceKey from context
(user principals 403 by design). RequireRole/RequirePermission stay
Principal-only. New RequireServiceKey + ServiceKeyFrom + MustServiceKey,
and a heterogeneous RequireAnyOrServiceKey for routes that accept either.
RequireAny is now Principal-only (default [Session, JWT]).

Adds 7 middleware tests (auth, revoked, ability accept/reject across
subjects, role rejects service key, RequireAnyOrServiceKey both paths) and
1 (*ServiceKey).HasAbility unit test. Existing API-key tests deleted.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

authkit.go

@@ -17,7 +17,6 @@ type Deps struct {
 	Users       UserStore
 	Sessions    SessionStore
 	Tokens      TokenStore
-	APIKeys     APIKeyStore
 	ServiceKeys ServiceKeyStore
 	Roles       RoleStore
 	Permissions PermissionStore
@@ -70,8 +69,8 @@ type Auth struct {
 // returning an error — these are programmer errors, not runtime ones.
 func New(deps Deps, cfg Config) *Auth {
 	if deps.Users == nil || deps.Sessions == nil || deps.Tokens == nil ||
-		deps.APIKeys == nil || deps.ServiceKeys == nil || deps.Roles == nil ||
-		deps.Permissions == nil || deps.Hasher == nil {
+		deps.ServiceKeys == nil || deps.Roles == nil || deps.Permissions == nil ||
+		deps.Hasher == nil {
 		panic(errx.New("authkit.New", "all Deps fields are required"))
 	}
 	if len(cfg.JWTSecret) == 0 {