Internal users could exploit key/generate and key/update to create unbound
keys (no user_id, no budget) or attach keys to non-existent teams. This
adds validation for non-admin callers: auto-assign user_id on generate,
reject invalid team_ids, and prevent removing user_id on update.
Closes LIT-1884
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>