[FEATURE] Implement API key rotation flow — allow users to regenerate pk_live/sk_live without invalidating existing sessions

[Abhushan187]

Problem

Users currently cannot rotate their API keys without creating a new project. If a key is accidentally exposed in a public repository or client-side code, the only remediation is project deletion — which destroys all data, collections, and configurations. This is unacceptable for production usage.

---

Proposed Improvement

Add a secure key rotation flow in the project dashboard that allows users to regenerate pk_live and sk_live independently without data loss. The feature should:

• Add "Rotate Publishable Key" and "Rotate Secret Key" buttons in Project Settings
• Generate new keys immediately while keeping old keys valid for a 24-hour grace period
• Send email notification to project owner on key rotation
• Invalidate old keys after grace period via a scheduled BullMQ job
• Maintain all existing user sessions and JWT tokens (key rotation ≠ session invalidation)
• Log all rotation events to the audit trail

---

Expected Impact

• Better security posture for production projects
• Improved incident response when keys are leaked
• Zero-downtime key rotation without data loss
• Better long-term scalability with enterprise-grade key management

---

Possible Implementation

• Add ApiKeyRotation service in apps/dashboard-api/services/
• Extend Project model with pkLive, skLive, pkLivePrevious, skLivePrevious, keyRotationGracePeriodEndsAt
• Add POST /api/projects/{id}/keys/rotate endpoint with keyType param ('publishable' | 'secret')
• Add keyRotationCleanup BullMQ worker to invalidate old keys after grace period
• Update dashboard UI with rotation buttons, grace period countdown, and confirmation modal
• Write tests for rotation flow, grace period edge cases, and old key invalidation

---

I'm GSSoC'26 contributor, Please assign this task to me!

[Abhushan187]

/assign