refactor(api): ApiKeyController index() excludes expired keys (review M1)

Code-quality review of Task 3: index() filtered by is_active only —
an expired-but-active key would be listed as valid. Adds an
expires_at > now() filter plus a test. Cannot occur today (regenerate
is the only write path, always +1 year) but is the correct semantic
contract for an «active key» listing.

phpstan-baseline.neon: count bumps only for ApiKeyControllerTest.php
($tenant 5→7, $user 3→5, getJson 3→4).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

app/app/Http/Controllers/Api/ApiKeyController.php

@@ -31,6 +31,7 @@ class ApiKeyController extends Controller
         $keys = ApiKey::query()
             ->where('tenant_id', $tenantId)
             ->where('is_active', true)
+            ->where('expires_at', '>', now())
             ->orderByDesc('created_at')
             ->get(['id', 'name', 'key_prefix', 'last_used_at', 'expires_at', 'created_at']);
 

app/phpstan-baseline.neon

@@ -243,13 +243,13 @@ parameters:
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$tenant\.$#'
 			identifier: property.notFound
-			count: 5
+			count: 7
 			path: tests/Feature/ApiKeyControllerTest.php
 
 		-
 			message: '#^Access to an undefined property Pest\\PendingCalls\\TestCall\:\:\$user\.$#'
 			identifier: property.notFound
-			count: 3
+			count: 5
 			path: tests/Feature/ApiKeyControllerTest.php
 
 		-
@@ -261,7 +261,7 @@ parameters:
 		-
 			message: '#^Call to an undefined method Pest\\PendingCalls\\TestCall\:\:getJson\(\)\.$#'
 			identifier: method.notFound
-			count: 3
+			count: 4
 			path: tests/Feature/ApiKeyControllerTest.php
 
 		-

app/tests/Feature/ApiKeyControllerTest.php

@@ -43,6 +43,26 @@ test('GET /api/api-keys изолирован по тенанту', function () {
     expect($response->json('data'))->toHaveCount(0);
 });
 
+test('GET /api/api-keys не возвращает истёкшие ключи', function () {
+    ApiKey::factory()->create([
+        'tenant_id' => $this->tenant->id,
+        'user_id' => $this->user->id,
+        'is_active' => true,
+        'expires_at' => now()->subDay(),
+    ]);
+    ApiKey::factory()->create([
+        'tenant_id' => $this->tenant->id,
+        'user_id' => $this->user->id,
+        'is_active' => true,
+        'expires_at' => now()->addYear(),
+    ]);
+
+    $response = $this->getJson('/api/api-keys');
+
+    $response->assertOk();
+    expect($response->json('data'))->toHaveCount(1);
+});
+
 test('POST /api/api-keys/regenerate создаёт ключ и возвращает plaintext один раз', function () {
     $response = $this->postJson('/api/api-keys/regenerate');