feat: add MCP endpoint and API key management

- Add ApiKey Prisma model (SHA-256 hash, prefix, lastUsedAt) with migration
- Implement ApiKeyService (create, list, delete, verify)
- Extend requireAuth middleware to accept sk_-prefixed API keys alongside JWTs
- Add GET/POST /api-keys routes for creating and revoking keys
- Add stateless Streamable HTTP MCP server at POST/GET /mcp exposing all 20
  time-tracking tools (clients, projects, time entries, timer, statistics,
  client targets and corrections)
- Frontend: ApiKey types, apiKeys API module, useApiKeys hook
- Frontend: ApiKeysPage with key table, one-time raw-key reveal modal, and
  inline revoke confirmation
- Wire /api-keys route and add API Keys link to Management dropdown in Navbar

backend/prisma/schema.prisma

@@ -20,6 +20,7 @@ model User {
   timeEntries   TimeEntry[]
   ongoingTimer  OngoingTimer?
   clientTargets ClientTarget[]
+  apiKeys       ApiKey[]
 
   @@map("users")
 }
@@ -151,3 +152,18 @@ model Session {
 
   @@map("sessions")
 }
+
+model ApiKey {
+  id         String    @id @default(uuid())
+  name       String    @db.VarChar(255)
+  keyHash    String    @unique @map("key_hash") @db.VarChar(64) // SHA-256 hex
+  prefix     String    @db.VarChar(16) // first chars of raw key for display
+  lastUsedAt DateTime? @map("last_used_at")
+  createdAt  DateTime  @default(now()) @map("created_at")
+
+  userId String @map("user_id") @db.VarChar(255)
+  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@index([userId])
+  @@map("api_keys")
+}