#257 SECURITY: API Key rotation did not deactivate old keys

Critical security vulnerability discovered in API key rotation: **Issues Found:** 1. Rotation kept old keys active (is_active=TRUE) - only set expires_at 2. is_rotating flag was set but never checked by RBAC middleware 3. Default 24h grace period meant compromised keys stayed valid 4. No immediate deactivation option for security incidents **Impact:** - Compromised API keys remained valid for 24 hours after rotation - Multiple rotations created chains of active keys - Security incident response ineffective **Fix Applied:** 1. Default behavior now IMMEDIATELY deactivates old key 2. Grace period is opt-in via grace_period_hours parameter 3. List endpoint shows 'rotating' status for keys in grace period 4. Existing rotated keys in production deactivated **Files Modified:** - api/blueprints/v1/api_keys.py (rotate_api_key, list_api_keys) **Database Fix:** UPDATE api_keys SET is_active=FALSE WHERE is_rotating=TRUE