feat(mcp): support multiple API keys per user (PUNT-376)

[jmynes]

Summary

• Add McpApiKey Prisma model supporting multiple named API keys per user (with SHA-256 hashed storage, key prefix for display, and lastUsedAt tracking)
• New API routes: POST/GET /api/me/mcp-keys and DELETE /api/me/mcp-keys/[keyId] with password + 2FA re-authentication
• Updated MCP authentication (auth-helpers.ts, git-hook/route.ts) to check the new McpApiKey table first, falling back to legacy User.mcpApiKey for backwards compatibility
• Redesigned Profile MCP tab to show a list of named keys with create/revoke actions, plus a two-step create dialog (name, then password)
• Updated database export/import to include McpApiKey records

Key Design Decisions

• Backwards compatible: Legacy User.mcpApiKey field is kept and still works for authentication. Users see a notice about their legacy key.
• SHA-256 hashing: Consistent with existing MCP key approach (high-entropy keys don't need bcrypt)
• Key prefix: First 12 chars (mcp_ + 8 hex) stored for display identification
• 25 key limit: Reasonable cap per user to prevent abuse
• lastUsedAt tracking: Updated on successful auth (throttled to every 5 minutes to avoid excessive writes)

Test plan

• All 1527 existing tests pass
• Create a new named MCP key via Profile UI
• Verify the key is displayed once and cannot be retrieved again
• Authenticate MCP requests using the new key
• Verify lastUsedAt updates on successful auth
• Revoke a key and verify it no longer authenticates
• Verify legacy single key still works for existing users
• Test database export/import includes McpApiKey records

🤖 Generated with Claude Code