feat(tokens): T41-T43 implement API token management endpoints

- Add max_api_tokens_per_user config (default 5)
- Implement POST /api/tokens (T41): generate token with limit check
- Implement GET /api/tokens (T42): list active tokens, no values exposed
- Implement DELETE /api/tokens/{id} (T43): soft delete with ownership check
- Security: plaintext token shown ONLY at creation
- Security: SHA-256 hash stored in DB, never the plaintext
- Security: revoked tokens return 401 on public API
- 24 tests with 100% coverage on tokens router

Closes T41, T42, T43

src/openrouter_monitor/main.py

@@ -10,6 +10,7 @@ from openrouter_monitor.routers import api_keys
 from openrouter_monitor.routers import auth
 from openrouter_monitor.routers import public_api
 from openrouter_monitor.routers import stats
+from openrouter_monitor.routers import tokens
 
 settings = get_settings()
 
@@ -33,6 +34,7 @@ app.add_middleware(
 # Include routers
 app.include_router(auth.router, prefix="/api/auth", tags=["authentication"])
 app.include_router(api_keys.router, prefix="/api/keys", tags=["api-keys"])
+app.include_router(tokens.router)
 app.include_router(stats.router)
 app.include_router(public_api.router)