Update API Key Scopes

Each scope grants a role on a specific resource:

{
  "resource_type": "agent",
  "resource_id": "agt_xxx",
  "role": "editor"
}

Resource Type	Valid Roles
`org`	`admin`, `member`
`namespace`	`admin`
`project`	`discoverer`, `viewer`, `editor`, `owner`
`agent`	`discoverer`, `viewer`, `editor`, `owner`, `executor`

The executor role is legacy and is normalized to viewer internally, but still grants run permission.