feat(apikey): list/create/revoke per user

[omattsson]

Summary

Server routes (scoped under /api/v1/users/:userId/api-keys):

• GET /api/v1/users/:userId/api-keys → stackctl apikey list [--user <id>]
• POST /api/v1/users/:userId/api-keys → stackctl apikey create --name X [--user <id>]
• DELETE /api/v1/users/:userId/api-keys/:keyId → stackctl apikey revoke <key-id> [--user <id>]

--user defaults to the caller's own user ID (resolve via auth/me).

Files to touch

• New: cli/cmd/apikey.go, cli/cmd/apikey_test.go.
• cli/pkg/types/types.go — APIKey, CreateAPIKeyRequest, CreateAPIKeyResponse (note: backend returns plaintext key once).
• cli/pkg/client/client.go — three methods.

Tests (all three layers required)

• Unit: cli/cmd/apikey_test.go + cli/pkg/client/client_test.go — list/create/revoke, all output modes, assert plaintext key is never logged at debug.
• Integration: new cli/test/integration/apikey_integration_test.go — Cobra in-process create→list→revoke round-trip; verify --quiet prints only the key.
• E2E: cli/test/e2e/cli_e2e_test.go — stackctl apikey create --name ci --quiet produces a single-line stdout pipeable to a token file.

Acceptance

• apikey create prints the plaintext key to stdout (default table) AND quiet mode prints only the key — pipeable for CI service-account bootstrap.
• Key is NEVER logged at debug level.

Tracks #59