5b323137e0
Closes the 'Public REST API' last mile: external callers authenticate with a per-license API key instead of a JWT. Additive and zero-regression: - JwtAuthGuard: a corr_-prefixed bearer token (or X-API-Key header) is validated via ApiKeysService.validateKey and sets request.user shaped like a JWT user, scoped to the key's license. JWTs are eyJ... and never collide with the corr_ prefix, so the existing JWT path is byte-for-byte unchanged. - API-key calls act AS the license owner: validateKey now resolves license.owner_user_id so sub is a real UUID — any @CurrentUser/created_by FK insert works and attributes correctly. (ApiKeysModule gains the License repo.) - PermissionsGuard: is_api_key principals get full access to their own license (always tenant-scoped). Future: scoped/read-only keys. Backend tsc green. Untested at runtime (no local DB) — needs a curl smoke test on Saturday's fresh stack before the roadmap item flips to shipped. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>