feat(tokens): add admin bypass for POST /tokens/teams/{team_id} to support service account workflows

[bogdanmariusc10]

🔗 Related Issue

Closes #4390

---

📝 Summary

Adds admin bypass capability to POST /tokens/teams/{team_id} endpoint to support service account workflows and centralized token management.

Problem:

• Platform admins and service accounts were blocked from creating team tokens when not active members of the target team
• This prevented centralized token provisioning and emergency access scenarios
• Inconsistent with other admin endpoints that allow un-narrowed admins to bypass team restrictions

Solution:

• Modified token_catalog_service.py to check for un-narrowed platform admin status (caller_permissions=["*"]) before enforcing team membership
• Un-narrowed platform admins can now create team tokens without being active team members
• Narrowed admin sessions and regular users still require team membership (security invariant maintained)

Use Cases Enabled:

• Service account management across teams
• Centralized token provisioning by platform admins
• Emergency access without joining teams
• Automated CI/CD workflows

---

🏷️ Type of Change

• Feature / Enhancement
• Bug fix
• Documentation
• Refactor
• Chore (deps, CI, tooling)
• Other (describe below)

---

🧪 Verification

Check	Command	Status
Lint suite	make lint	✅ Pass
Unit tests	make test	✅ Pass
Coverage ≥ 80%	make coverage	✅ Pass

New Tests Added:

• test_create_token_admin_bypass_with_unrestricted_permissions - Verifies admin bypass works correctly
• test_create_token_narrowed_admin_requires_membership - Ensures narrowed admins still need membership
• test_create_token_no_caller_permissions_requires_membership - Validates None permissions require membership
• test_create_token_empty_caller_permissions_requires_membership - Validates empty list requires membership
• test_create_token_admin_bypass_still_validates_team_exists - Ensures team existence check remains enforced

---

✅ Checklist

• Code formatted (make black isort pre-commit)
• Tests added/updated for changes (5 new comprehensive tests)
• Documentation updated (inline comments explaining security model)
• No secrets or credentials committed

---

📓 Notes

Security Invariants Maintained:

1. ✅ Requires un-narrowed platform admin (is_admin=true AND caller_permissions=["*"])
2. ✅ Narrowed admin sessions still require team membership
3. ✅ Regular users still require team membership
4. ✅ Team existence validation enforced for all users
5. ✅ Management Plane isolation preserved
6. ✅ Audit trail maintained (token creation logs include user email)

Implementation Details:

• Admin bypass check: is_unrestricted_admin = caller_permissions is not None and caller_permissions == ["*"]
• Only skips membership validation when condition is true
• Team existence check always runs before membership check
• Consistent with existing admin bypass patterns in the codebase

Testing Coverage:

• Positive case: Admin with ["*"] permissions can create team tokens
• Negative cases: Narrowed admins, users with None permissions, users with [] permissions all require membership
• Edge case: Admin bypass still validates team exists (cannot create tokens for non-existent teams)