Document the dashboard API Keys management page

The dashboard's API Keys page (list plus Create/Rotate/Revoke and the
create dialog) had no design-doc coverage even though Authorization.md
already documents the constraint model it exposes. Add an "API keys
page" section to GatewayDashboardDesign.md describing the table columns,
the LDAP-group-gated management actions, the one-time secret reveal, and
audit logging. Cross-link it from the constraint-enforcement section of
Authorization.md and the CLI section of Authentication.md so the two
key-management surfaces reference each other.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/Authentication.md

@@ -223,6 +223,10 @@ constraints remain fully unconstrained after migration.
 
 Key ids are restricted by the parser to ASCII letters, digits, periods, and hyphens so they remain safe to embed in the token format and in URL paths used by administrative tooling.
 
+The CLI is not the only management surface: the dashboard API Keys page
+creates, rotates, and revokes keys through the same `IApiKeyAdminStore`. See
+[Gateway Dashboard Design](./GatewayDashboardDesign.md#api-keys-page).
+
 ## Scope Serialization
 
 Scopes are persisted as a single TEXT column rather than a join table because the set is small, never queried by membership at the database level, and changes atomically with the owning row. `ApiKeyScopeSerializer.Serialize` writes a JSON array sorted with `StringComparer.Ordinal` so equivalent scope sets produce byte-identical column values, which makes audit diffing and database comparisons deterministic:
@@ -276,4 +280,5 @@ Singletons are safe because each operation opens its own short-lived `SqliteConn
 
 - [Gateway Configuration](./GatewayConfiguration.md)
 - [Authorization](./Authorization.md)
+- [Gateway Dashboard Design](./GatewayDashboardDesign.md)
 - [Diagnostics](./Diagnostics.md)