fix(core/api): gate token mint + revoke on sentinel:all

[BK1031]

Audit hole

The most severe gap from the post-s2s-auth audit:

• `POST /core/token` (GenerateToken) — UNGATED. Anyone reachable could mint a JWT claiming any entity, with any scope (including `sentinel:all` itself).
• `DELETE /core/token/:id` (RevokeToken) — UNGATED. Anyone could revoke any token by ID.

Fix

Both now `Require(c, RequestTokenHasScope(c, "sentinel:all"))`. Internal services (sentinel-core/discord/oauth/saml) already carry `sentinel:all` after PR #79, so they keep working. Any third-party caller or unauthed request is now 401.

This is the first in a stack of "harden core API gates" PRs. After this lands:

• fix(core/api): gate group + join-request + conditional-binding mutations #81 → groups mutations + join requests + conditional bindings
• fix(core/api): gate user + entity mutations #82 → user + entity mutations
• fix(core/api): gate PII reads + enumeration endpoints #83 → PII reads + enumeration

Test plan

• `curl -X POST /core/token` without auth → 401
• `curl -X POST /core/token` with a non-sentinel:all bearer → 401
• `curl -X POST /core/token` with sentinel-core's bearer → 200, token issued
• OAuth login flow (which calls into core's token service from oauth, not core directly) still works