Add API key scoped permissions (read-only vs write)

[Kingsman-99]

Description

src/app/settings/api-keys/page.tsx creates API keys with full access — there's no way to issue a read-only key for safer third-party integrations. This issue adds scoped permissions per key.

Technical Context

Involves src/app/settings/api-keys/page.tsx. Each key gets a scope: "read" | "write" field set at creation, displayed in the key list, and enforced by src/app/api/* route handlers checking the scope before mutating operations.

Acceptance Criteria

• Key creation form has a scope selector defaulting to "read"
• Key list shows scope as a badge next to each key
• Write-scope-required API routes reject read-only keys with 403 and a clear error body
• Existing keys created before this change default to "write" (backward compatible) with a one-time banner suggesting review
• Unit tests: read-only key rejected on write endpoint, write key allowed, default migration behavior

---

[bitstarkbridge]

@bitstarkbridge has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

I’d like to work on this issue because it aligns closely with my interest in building reliable, user-focused solutions on the Stellar ecosystem. I enjoy contributing to projects that solve real-world problems through blockchain technology, and this issue presents an opportunity to improve the project's functionality, maintainability, and overall user experience while collaborating with the open-source community.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @bitstarkbridge to this issue.

[drips-wave]

Congratulations, @bitstarkbridge! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @bitstarkbridge: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[grantfox-oss]

🦊 GrantFox — @bitstarkbridge has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #219)
2. Your PR will be reviewed by the Stellar-split maintainers

Good luck! Track your progress on GrantFox.

[Bamzy123]

@Bamzy123 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

I would love to work on this maintainer.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Bamzy123 to this issue.

[drips-wave]

Congratulations, @Bamzy123! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @Bamzy123: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊