#141 [highway-api] API tokens need scoped permissions support

Currently API tokens only identify the user - permissions come from user's roles. Need to add scopes/permissions to tokens so a tenant_admin can create a read-only token. Token payload should include 'scopes' field and permission checks should intersect user roles with token scopes.