Cut user-owned API keys; redesign subject model

Removes the APIKey primitive entirely (Auth.IssueAPIKey/AuthenticateAPIKey/
RevokeAPIKey, APIKeyStore, Deps.APIKeys, Stores.APIKeys, Tables.APIKeys,
ErrAPIKeyInvalid, AuthMethodAPIKey, Principal.{APIKeyID, Abilities, HasAbility},
prefixAPIKey, RequireAPIKey, and the 6 SQL templates). Migration
0003_drop_api_keys.sql hard-drops authkit_api_keys.

The new subject model: *Principal carries identity only (sessions, JWTs);
*ServiceKey is the only abilities-bearing credential and gains a
HasAbility(name) method. RequireAbility now reads *ServiceKey from context
(user principals 403 by design). RequireRole/RequirePermission stay
Principal-only. New RequireServiceKey + ServiceKeyFrom + MustServiceKey,
and a heterogeneous RequireAnyOrServiceKey for routes that accept either.
RequireAny is now Principal-only (default [Session, JWT]).

Adds 7 middleware tests (auth, revoked, ability accept/reject across
subjects, role rejects service key, RequireAnyOrServiceKey both paths) and
1 (*ServiceKey).HasAbility unit test. Existing API-key tests deleted.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

service_service_key_test.go

@@ -140,6 +140,23 @@ func TestServiceKeyListByOwner(t *testing.T) {
 	}
 }
 
+func TestServiceKeyHasAbility(t *testing.T) {
+	k := &ServiceKey{Abilities: []string{"events:write", "events:read"}}
+	if !k.HasAbility("events:write") {
+		t.Fatalf("expected HasAbility(events:write) = true")
+	}
+	if !k.HasAbility("events:read") {
+		t.Fatalf("expected HasAbility(events:read) = true")
+	}
+	if k.HasAbility("admin:nuke") {
+		t.Fatalf("expected HasAbility(admin:nuke) = false")
+	}
+	empty := &ServiceKey{}
+	if empty.HasAbility("anything") {
+		t.Fatalf("HasAbility on empty Abilities must be false")
+	}
+}
+
 func TestServiceKeyTouchUpdatesLastUsedAt(t *testing.T) {
 	a := newTestAuth(t)
 	appID := uuid.New()