feat(auth): admin-issued café recovery key login

Platform admins can generate a permanent recovery key per café (admin
panel → Cafés). The café Owner uses it to sign in when OTP access is lost;
once authenticated, all server-side data syncs as normal (data is per-café
on the server, the device only caches it).

Backend:
- Cafe.RecoveryKeyHash (SHA-256, unique index) + RecoveryKeyCreatedAt; migration
- RecoveryKeyGenerator util: MZ-XXXXX-XXXXX-XXXXX-XXXXX, ~190-bit entropy,
  stored as SHA-256 (API-token pattern — raw key shown once, never retrievable)
- Admin: POST/DELETE /api/admin/cafes/{id}/recovery-key (key returned once);
  café list now reports HasRecoveryKey + RecoveryKeyCreatedAt
- Login: POST /api/auth/login-key → exact-hash lookup → resolves café Owner →
  issues normal JWT; rate-limited (auth-otp), suspended/no-owner guarded, logged

Admin UI: per-café generate / regenerate / revoke with one-time reveal + copy.
Dashboard login: discreet "ورود با کلید بازیابی" link → key field. fa/en/ar.

86 tests pass; all tsc clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

web/dashboard/messages/en.json

@@ -72,6 +72,11 @@
     "password": "Password",
     "passwordPlaceholder": "Password",
     "invalidCredentials": "Incorrect username or password.",
+    "invalidKey": "Invalid recovery key.",
+    "recoveryKey": "Recovery key",
+    "keyHint": "Enter the recovery key you received from Meezi support.",
+    "useRecoveryKey": "Lost access? Sign in with a recovery key",
+    "backToNormalLogin": "Back to normal sign-in",
     "kojaSlug": "Koja profile address",
     "kojaSlugHint": "Customers will find your cafe at this address",
     "kojaSlugPlaceholder": "e.g. my-cafe"