Service API tokens never expire

JWTs minted by `/api/users/@me/key` (service tokens granting admin-equivalent access via `service: true`) had no `expiresAt`, and the auth middleware silently passed `undefined < Date.now()`. Service tokens were valid forever.

JWTs minted by /api/users/@me/key (granting admin-equivalent access via service: true) had no expiresAt field, and the auth middleware silently passed undefined < Date.now(). Service tokens were valid forever with no working revocation path.