feat: add domain-based access control for API keys (#198)

Co-authored-by: Claude <noreply@anthropic.com>

apps/web/src/server/service/api-service.ts

@@ -9,12 +9,29 @@ export async function addApiKey({
   name,
   permission,
   teamId,
+  domainId,
 }: {
   name: string;
   permission: ApiPermission;
   teamId: number;
+  domainId?: number;
 }) {
   try {
+    // Validate domain ownership if domainId is provided
+    if (domainId !== undefined) {
+      const domain = await db.domain.findUnique({
+        where: { 
+          id: domainId,
+          teamId: teamId 
+        },
+        select: { id: true },
+      });
+      
+      if (!domain) {
+        throw new Error("DOMAIN_NOT_FOUND");
+      }
+    }
+
     const clientId = smallNanoid(10);
     const token = randomBytes(16).toString("hex");
     const hashedToken = await createSecureHash(token);
@@ -26,6 +43,7 @@ export async function addApiKey({
         name,
         permission: permission,
         teamId,
+        domainId,
         tokenHash: hashedToken,
         partialToken: `${apiKey.slice(0, 6)}...${apiKey.slice(-3)}`,
         clientId,
@@ -45,6 +63,11 @@ export async function getTeamAndApiKey(apiKey: string) {
     where: {
       clientId,
     },
+    include: {
+      domain: {
+        select: { id: true, name: true },
+      },
+    },
   });
 
   if (!apiKeyRow) {