Backend: Add Prisma storage layer for scoped admin tokens with rotation audit trail

[Junirezz]

Context

scopedAdminTokens.ts provides permission-scoped admin tokens with rotation support (Issue #723). Tokens are held in an in-memory Map.

Problem / Gap

Scoped tokens are not durable across restarts and cannot be shared across backend replicas. Token revocation and rotation state diverges per instance, creating auth inconsistencies in clustered deployments.

Proposed approach

• Add Prisma models for scoped admin tokens and rotation history.
• Hash secrets at rest; never persist plaintext token values.
• Migrate existing create/rotate/revoke/list endpoints to the repository layer.
• Emit admin audit events on rotation and revocation.

Acceptance criteria

• Tokens created on one instance are valid on all instances after propagation.
• Revoked tokens are rejected cluster-wide within one request cycle.
• Rotation retains prior keyId audit trail without exposing old secrets.
• Tests cover create, rotate, revoke, expiry, and permission enforcement.

Files/areas affected

• backend/src/scopedAdminTokens.ts
• backend/src/middleware/rbac.ts
• backend/prisma/schema.prisma