Add granular permissions and environment scoping to private API keys

Currently, a private key is required for setting up the Builder CMS MCP server. Private API keys in Builder have all-or-nothing access to a space. There's a need to limit exposure and control what different API keys can access, especially with interest from non-engineers for using the CMS MCP. This feature request asks for:

1. Granular permissions on private keys - the ability to scope what operations a given key can perform (read, write, etc.)

2. Optional expiry date for private keys

3. Environment assignment for private keys - the ability to restrict a key to specific environments in Hybrid spaces (eg development, production)