fix(configuration-database): resolve ConfigurationDatabase-012 — store inbound-API keys as HMAC-SHA256 hashes

Inbound-API bearer credentials are no longer persisted in plaintext. ApiKey now
holds a KeyHash (peppered HMAC-SHA256); the key is shown once at creation and
only its hash is stored. Lookup and validation hash the presented candidate.
Cross-module: Commons (ApiKey, ApiKeyHasher), ConfigurationDatabase (mapping +
HashApiKeyValue migration), InboundAPI (ApiKeyValidator), ManagementService
(key creation), CentralUI (ApiKeys.razor). Existing keys must be re-issued.

src/ScadaLink.CentralUI/Components/Pages/Admin/ApiKeys.razor

@@ -46,7 +46,7 @@
                     <tr>
                         <th>ID</th>
                         <th>Name</th>
-                        <th>Key Value</th>
+                        <th>Key Hash</th>
                         <th style="width: 160px;">Actions</th>
                     </tr>
                 </thead>
@@ -62,7 +62,7 @@
                                     <span class="badge bg-secondary ms-1">Disabled</span>
                                 }
                             </td>
-                            <td><code>@MaskKeyValue(key.KeyValue)</code></td>
+                            <td><code>@MaskKeyValue(key.KeyHash)</code></td>
                             <td>
                                 <div class="d-flex gap-1">
                                     <button class="btn btn-outline-primary btn-sm py-0 px-2"