[FEATURE] REST API inventory endpoint with privacy controls

[hello-args]

Summary

Expose inventory discovery via REST API with the same privacy flags as the CLI.

Problem

src/mcts/api/ has scan endpoints but no inventory operation. CLI privacy controls from #87 / PR #279 are CLI-only:

CLI flag	Behavior
--paths-only	List paths, no parse
--config-path	Single-file scope
--redact-paths	Redact home in entries/skills (default inventory JSON)

Expected Behavior

POST /inventory (or equivalent) accepting paths_only, config_path, redact_paths; MCTS_API_KEY auth; documented threat model aligned with docs/platform/rest-api.md live consent section.

References

• [SECURITY] mcts inventory reads local MCP configs without consent gate #87 / PR feat(inventory): add privacy controls for config discovery (#87) #279 — CLI reference implementation
• [FEATURE] Wire --redact-paths through inventory --scan-all JSON export #288 — scan-all redaction not wired on CLI yet; API should not repeat the gap
• docs/platform/rest-api.md

Acceptance Criteria

• API route + request schema
• Privacy flags parity with CLI (including documented scan-all redaction scope)
• Auth documented in REST threat model
• Integration tests