FlowAuth: add a token renewal endpoint so service tokens can be rotated without minting from scratch

[jakejellinek]

Long-lived service tokens (e.g. Airflow FLOWAPI_TOKEN for MNO pipelines) need periodic renewal. Today this requires the operator to:

1. Log in as an admin and bump expiry caps (see FlowAuth: latest_token_expiry silently caps tokens, requiring admin-bumps before every renewal #7274).
2. Log out, log in as the service user (e.g. flowbot).
3. Open the mint dialog, retype the same name, re-tick the same roles, click save.
4. Copy the new JWT and paste into Airflow.

Steps 2–4 should be a single click. Step 1 is addressed separately by #7274.

Proposed change:

• New endpoint POST /tokens/<token_id>/renew accepting {lifetime_minutes}.
• Behaviour: looks up the existing TokenHistory row, mints a fresh JWT with the same name, same roles (per the token_roles table from FlowAuth: surface assigned roles on the user's token list #7273), the requested lifetime, and the calling user as owner. Inserts a new TokenHistory row — the old row is left alone and its JWT remains valid until its own exp claim passes. This gives a natural overlap window for consumers to switch over without downtime.
• UI: "Renew" button on each row in TokenList.jsx, with a lifetime picker.

The reused name is important operationally — monitoring tooling can create services keyed off token_history.name, so reusing the name keeps alert channels stable across renewals.

This depends on #7273 (token-role association) so the renewal can reproduce the original role set.

Related: #829.