W006: List my API tokens

Returns the caller's active (non-revoked) PATs. Used by the admin's API tokens section on /me and by any CLI tool that wants to enumerate its own tokens.

Steps

1. Read userId from ctx (set by middleware after Firebase or PAT verification).
2. List active tokens. Call Platform.listApiTokensForUser(userId), which filters out rows with non-null revoked_at.
3. Return. The L4 boundary serializes; token_hash is never included because the L4 schema (ApiTokenSchema) doesn't define it.

Returns

ApiToken[].

Business rules

• Revoked tokens are hidden. Display-side, the user never sees historical revoked tokens. (If we want an audit view later, that's a separate workflow with admin-level gating.)
• No plaintext, no hash. The L4 schema omits both. Prefix is included for visual identification only.

Errors

• ForbiddenError — no userId on ctx.

Maps to

E006 GET /api/user/api-tokens.