Description

• Extend token management endpoints to accept and returnscopes: string[] andallow_list: string[].
• Validate requested scopes against the catalog; reject unknown names.
• Enforce user’s role intersection: a scoped key cannot be used to mint a broader-scoped key than the caller is authorized to create.

Key files/areas

• coderd/apikey.go handlers and request/response types.
• Swagger annotations to update generated API docs.

Acceptance criteria

• New request/response shapes reflected indocs/reference/api/* after generation.
• Authorization tests cover “cannot mint elevated scopes”.