feat(auth/sessions): list-all gate + revoke-all-except-current (MED-1/2/3)

Audit 2026-05-10 Fix 13 Phase A — close MED-1, MED-2, MED-3.

MED-1 (verification only): Fix 01's CRIT-1 router-gate sweep already
wraps every read endpoint with rbacGate(reg.Checker, '<resource>.read',
...). Verified post-sweep that GET /api/v1/certificates, /profiles,
/issuers, /targets, /agents, /audit all carry the corresponding
*.read permission gate.

MED-2: ListSessions now gates ?actor_id=<other> on auth.session.list.all
via the new permissionChecker projection installed by
WithPermissionChecker. cmd/server/main.go threads the existing
authCheckerAdapter into the handler. When caller's actor_id !=
caller.ActorID AND the handler has a checker, an inline
CheckPermission(..., 'auth.session.list.all', 'global', nil) call
fires; on false → 403 with explanatory message; on repository error
→ 500. Defense-in-depth: the router-level rbacGate enforces
auth.session.list as the floor; the .list.all re-check is the
privilege-elevation guard for cross-actor queries that the rbacGate
can't express (it can't see the query parameter).

MED-3: ship DELETE /api/v1/auth/sessions?except=current — the
'sign out all other sessions' flow. Gated by auth.session.revoke;
the handler reads the caller's current session ID from
session.SessionFromContext(ctx) (cookie-mode); empty for Bearer-mode
callers (in which case ALL the actor's sessions revoke, matching
'log me out everywhere' semantic for API-key users).

New repository method SessionRepository.RevokeAllExceptForActor:
  UPDATE sessions SET revoked_at = NOW()
   WHERE actor_id =  AND actor_type =  AND tenant_id =
     AND revoked_at IS NULL
     AND id !=
returning rowcount. Added to the interface in internal/repository/session.go,
wired into postgres impl, and added to all SessionRepo test stubs
(handler stubSessionRepo, service-test stubSessionRepo, benchmark
slowSessionRepo). The session.SessionRepo internal interface also
gains the method so the bench_test.go forwarder compiles.

Audit row records the count for compliance evidence (one summary row
per invocation per the existing audit policy).

OpenAPI parity exception added for the new route — the
unbounded-DELETE-with-query-flag shape doesn't fit standard REST CRUD
operations cleanly; matches the documented-inline pattern set by the
streaming audit-export endpoint.

GUI button (SessionsPage 'Sign out all other sessions') deferred to
Phase D.

Refs: cowork/auth-bundles-audit-2026-05-10.md MED-1, MED-2, MED-3
Spec: cowork/auth-bundles-fixes-2026-05-10/13-med-bundle.md Phase A

internal/repository/postgres/session.go

@@ -180,6 +180,27 @@ func (r *SessionRepository) RevokeAllForActor(ctx context.Context, actorID, acto
 	return nil
 }
 
+// RevokeAllExceptForActor sets revoked_at = NOW() on every active
+// session for an actor EXCEPT the named exceptSessionID. Returns the
+// count of rows revoked. Audit 2026-05-10 MED-3 closure — backs the
+// "Sign out all other sessions" flow on SessionsPage. exceptSessionID
+// is the caller's current session ID (read from context); passing
+// empty exceptID falls through to RevokeAllForActor semantics
+// (revoke literally all).
+func (r *SessionRepository) RevokeAllExceptForActor(ctx context.Context, actorID, actorType, tenantID, exceptSessionID string) (int, error) {
+	res, err := r.db.ExecContext(ctx, `
+		UPDATE sessions SET revoked_at = NOW()
+		WHERE actor_id = $1 AND actor_type = $2 AND tenant_id = $3
+		  AND revoked_at IS NULL
+		  AND id != $4`,
+		actorID, actorType, tenantID, exceptSessionID)
+	if err != nil {
+		return 0, fmt.Errorf("sessions revoke_all_except_for_actor: %w", err)
+	}
+	n, _ := res.RowsAffected()
+	return int(n), nil
+}
+
 // GarbageCollectExpired deletes:
 //   - Sessions whose absolute_expires_at < NOW() (post-login expired).
 //   - Pre-login sessions older than 10 minutes.