feat: add API key entity, repository, and service with SHA-256 hashing

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/test/java/net/siegeln/cameleer/saas/apikey/ApiKeyServiceTest.java

@@ -0,0 +1,34 @@
+package net.siegeln.cameleer.saas.apikey;
+
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class ApiKeyServiceTest {
+
+    @Test
+    void generatedKeyShouldHaveCmkPrefix() {
+        var service = new ApiKeyService(null);
+        var key = service.generate();
+        assertThat(key.plaintext()).startsWith("cmk_");
+        assertThat(key.prefix()).hasSize(12);
+        assertThat(key.keyHash()).hasSize(64);
+    }
+
+    @Test
+    void generatedKeyHashShouldBeConsistent() {
+        var service = new ApiKeyService(null);
+        var key = service.generate();
+        String rehash = ApiKeyService.sha256Hex(key.plaintext());
+        assertThat(rehash).isEqualTo(key.keyHash());
+    }
+
+    @Test
+    void twoGeneratedKeysShouldDiffer() {
+        var service = new ApiKeyService(null);
+        var key1 = service.generate();
+        var key2 = service.generate();
+        assertThat(key1.plaintext()).isNotEqualTo(key2.plaintext());
+        assertThat(key1.keyHash()).isNotEqualTo(key2.keyHash());
+    }
+}