Add create_token plugin hook for extensible token creation

Introduces a create_token hookspec so plugins like datasette-auth-tokens
can intercept token creation and produce database-backed tokens instead
of signed ones. The default (trylast) implementation creates signed
dstok_ tokens.

Key changes:
- New create_token hookspec in hookspecs.py
- Datasette.create_signed_token(): sync, always creates signed tokens
- Datasette.create_token(): async, dispatches through the hook
- Datasette.build_token_restrictions(): utility to build abbreviated
  restriction dicts (replaces hack in datasette-auth-tokens)
- Default hook impl in default_permissions/tokens.py (trylast=True)
- CreateTokenView and CLI use create_signed_token() directly

https://claude.ai/code/session_012TFFCamoYLTofV2vCgPrjV

tests/test_api_write.py

@@ -1362,7 +1362,7 @@ async def test_create_table(
 async def test_create_table_permissions(
     ds_write, permissions, body, expected_status, expected_errors
 ):
-    token = ds_write.create_token("root", restrict_all=["view-instance"] + permissions)
+    token = ds_write.create_signed_token("root", restrict_all=["view-instance"] + permissions)
     response = await ds_write.client.post(
         "/data/-/create",
         json=body,