feat(enterprise): admin API token field in Settings → screenpipe-team

The screenpipe-team skill needs an admin-scoped token to query org
telemetry. License_key alone isn't enough: every employee on an
enterprise license has the same license_key (deployed by IT), but
only admins should be able to read teammates' data. We can't reuse
the cloud session JWT either — older installs hold a stale `sp-…`
value, the format isn't validated end-to-end, and enterprise rollouts
shouldn't require a third-party SSO on top of the customer's own auth.

Right shape per Louis: org-level license_key + per-admin revocable
API token. Admin mints once at screenpi.pe/enterprise?tab=tokens,
pastes into the desktop, revokes from the same dashboard if a token
leaks. The pieces already existed (enterprise_api_tokens table,
withApiAuth, sk_ent_ format, scopes) — this commit lights up the
desktop side:

- New "Admin API token" card in Settings → General (enterprise build
  only). Password input + save/clear, validates the sk_ent_ prefix,
  shows a "configured" pill when a value is on disk. Link out to the
  dashboard token page for minting.
- New `get_enterprise_team_api_token` Tauri command + binding so the
  card can read "configured" state without round-tripping the
  plaintext token to React.
- SKILL.md back to the team_api_token auth path (drops the cloud-JWT
  branch).
- `Pi::is_enterprise_admin` gates skill install on team_api_token
  presence again — without it the skill would 401 every call, so
  better to not install than to confuse the agent.

End-to-end flow now: admin opens screenpi.pe → tokens tab → mints
sk_ent_ with read:devices/read:search/read:records → pastes into
Settings → restarts desktop → next pi-agent boot installs
screenpipe-team skill → "list the team's devices" works. Token can be
revoked from the same dashboard tab; employees who never get a token
keep their license_key but can't reach v1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>