feat(auth/sessions): list-all gate + revoke-all-except-current (MED-1/2/3)

Audit 2026-05-10 Fix 13 Phase A — close MED-1, MED-2, MED-3.

MED-1 (verification only): Fix 01's CRIT-1 router-gate sweep already
wraps every read endpoint with rbacGate(reg.Checker, '<resource>.read',
...). Verified post-sweep that GET /api/v1/certificates, /profiles,
/issuers, /targets, /agents, /audit all carry the corresponding
*.read permission gate.

MED-2: ListSessions now gates ?actor_id=<other> on auth.session.list.all
via the new permissionChecker projection installed by
WithPermissionChecker. cmd/server/main.go threads the existing
authCheckerAdapter into the handler. When caller's actor_id !=
caller.ActorID AND the handler has a checker, an inline
CheckPermission(..., 'auth.session.list.all', 'global', nil) call
fires; on false → 403 with explanatory message; on repository error
→ 500. Defense-in-depth: the router-level rbacGate enforces
auth.session.list as the floor; the .list.all re-check is the
privilege-elevation guard for cross-actor queries that the rbacGate
can't express (it can't see the query parameter).

MED-3: ship DELETE /api/v1/auth/sessions?except=current — the
'sign out all other sessions' flow. Gated by auth.session.revoke;
the handler reads the caller's current session ID from
session.SessionFromContext(ctx) (cookie-mode); empty for Bearer-mode
callers (in which case ALL the actor's sessions revoke, matching
'log me out everywhere' semantic for API-key users).

New repository method SessionRepository.RevokeAllExceptForActor:
  UPDATE sessions SET revoked_at = NOW()
   WHERE actor_id =  AND actor_type =  AND tenant_id =
     AND revoked_at IS NULL
     AND id !=
returning rowcount. Added to the interface in internal/repository/session.go,
wired into postgres impl, and added to all SessionRepo test stubs
(handler stubSessionRepo, service-test stubSessionRepo, benchmark
slowSessionRepo). The session.SessionRepo internal interface also
gains the method so the bench_test.go forwarder compiles.

Audit row records the count for compliance evidence (one summary row
per invocation per the existing audit policy).

OpenAPI parity exception added for the new route — the
unbounded-DELETE-with-query-flag shape doesn't fit standard REST CRUD
operations cleanly; matches the documented-inline pattern set by the
streaming audit-export endpoint.

GUI button (SessionsPage 'Sign out all other sessions') deferred to
Phase D.

Refs: cowork/auth-bundles-audit-2026-05-10.md MED-1, MED-2, MED-3
Spec: cowork/auth-bundles-fixes-2026-05-10/13-med-bundle.md Phase A

internal/api/handler/auth_session_oidc.go

@@ -120,6 +120,31 @@ type AuthSessionOIDCHandler struct {
 	cookieAttrs   SessionCookieAttrs
 	tenantID      string
 	postLoginURL  string // 302 target after successful callback (default: /)
+
+	// checker is the optional PermissionChecker projection used for
+	// query-parameter-conditional gates that the router-level rbacGate
+	// can't express. Audit 2026-05-10 MED-2: ListSessions allows the
+	// caller to query their own sessions with auth.session.list, but
+	// `?actor_id=<other>` requires the narrower auth.session.list.all.
+	// Nil-safe: handlers that don't need conditional gating leave it
+	// unset (existing tests).
+	checker permissionChecker
+}
+
+// permissionChecker is the projection of auth.PermissionChecker the
+// session handler uses for query-conditional gates (MED-2). Defined
+// locally to avoid importing internal/auth from the handler package
+// just for this single use.
+type permissionChecker interface {
+	CheckPermission(ctx context.Context, actorID, actorType, tenantID, permission, scopeType string, scopeID *string) (bool, error)
+}
+
+// WithPermissionChecker installs a PermissionChecker projection on the
+// handler. Audit 2026-05-10 MED-2 closure — used by ListSessions to
+// gate `?actor_id=<other>` on auth.session.list.all.
+func (h *AuthSessionOIDCHandler) WithPermissionChecker(c permissionChecker) *AuthSessionOIDCHandler {
+	h.checker = c
+	return h
 }
 
 // BCLReplayConsumer is the projection of repository.BCLReplayRepository
@@ -558,18 +583,29 @@ func (h *AuthSessionOIDCHandler) ListSessions(w http.ResponseWriter, r *http.Req
 	actorID := caller.ActorID
 	actorType := string(caller.ActorType)
 	if q := r.URL.Query().Get("actor_id"); q != "" && q != actorID {
-		// listing a different actor's sessions requires
-		// auth.session.list.all (router-level rbacGate ALREADY enforced
-		// auth.session.list, but `.list.all` is a separate, narrower
-		// gate — encoded inline here since the router gate doesn't
-		// vary by query parameter).
-		// For Phase 5 we keep the simple model: any caller with
-		// auth.session.list.all (admins) can pass actor_id=<other>;
-		// we don't re-check that permission here because the rbacGate
-		// pattern doesn't carry a checker into the handler. The router
-		// wraps this whole handler with auth.session.list.all when
-		// query inspection isn't possible; operators wanting the
-		// finer-grained gate use the auth.session.list.all role.
+		// Audit 2026-05-10 MED-2 closure — listing a different
+		// actor's sessions requires the narrower auth.session.list.all
+		// permission. The router gate already enforced
+		// auth.session.list (the floor for any session-list call),
+		// but the all-actors variant is an admin-class capability and
+		// must be checked separately because the rbacGate can't see
+		// the query param. When the handler is wired with
+		// WithPermissionChecker (production), we re-check inline; when
+		// it isn't (legacy tests), the router gate's auth.session.list
+		// floor is the only check.
+		if h.checker != nil {
+			ok, perr := h.checker.CheckPermission(r.Context(),
+				caller.ActorID, string(caller.ActorType), h.tenantID,
+				"auth.session.list.all", "global", nil)
+			if perr != nil {
+				Error(w, http.StatusInternalServerError, "permission check failed")
+				return
+			}
+			if !ok {
+				Error(w, http.StatusForbidden, "auth.session.list.all required to list another actor's sessions")
+				return
+			}
+		}
 		actorID = q
 		if at := r.URL.Query().Get("actor_type"); at != "" {
 			actorType = at
@@ -626,6 +662,55 @@ func (h *AuthSessionOIDCHandler) RevokeSession(w http.ResponseWriter, r *http.Re
 	w.WriteHeader(http.StatusNoContent)
 }
 
+// RevokeAllExceptCurrent handles DELETE /api/v1/auth/sessions?except=current.
+//
+// Audit 2026-05-10 MED-3 closure — backs the "Sign out all other
+// sessions" SessionsPage button. Revokes every active session for the
+// caller EXCEPT the session that issued the current request (so the
+// user doesn't get logged out by the action they just took).
+//
+// The current session ID is read from the request's session cookie via
+// the SessionMiddleware's actor context — for Bearer-mode callers this
+// is the empty string and ALL the actor's sessions are revoked (matches
+// the "log me out everywhere" semantic for API-key-mode users).
+//
+// Audit row records the count for compliance (one summary row per
+// invocation; per-session detail is implicit in the count + actor).
+func (h *AuthSessionOIDCHandler) RevokeAllExceptCurrent(w http.ResponseWriter, r *http.Request) {
+	caller, err := callerFromRequest(r)
+	if err != nil {
+		writeAuthError(w, err)
+		return
+	}
+	if r.URL.Query().Get("except") != "current" {
+		Error(w, http.StatusBadRequest, "only ?except=current is supported")
+		return
+	}
+	// Current session ID — empty for Bearer/API-key callers (acceptable;
+	// the repo's RevokeAllExceptForActor handles "" by revoking
+	// literally every active session). Read from the session middleware's
+	// SessionFromContext helper which populates the validated session
+	// on the request context for cookie-mode callers.
+	currentSessionID := ""
+	if sess := sessionsvc.SessionFromContext(r.Context()); sess != nil {
+		currentSessionID = sess.ID
+	}
+
+	count, rerr := h.sessionRepo.RevokeAllExceptForActor(r.Context(),
+		caller.ActorID, string(caller.ActorType), h.tenantID, currentSessionID)
+	if rerr != nil {
+		Error(w, http.StatusInternalServerError, "could not revoke sessions")
+		return
+	}
+	h.recordAudit(r.Context(), "auth.sessions_revoked_all_except_current",
+		caller.ActorID, caller.ActorType, currentSessionID,
+		map[string]interface{}{
+			"count":              count,
+			"current_session_id": currentSessionID,
+		})
+	writeJSON(w, http.StatusOK, map[string]interface{}{"revoked_count": count})
+}
+
 // =============================================================================
 // 3. OIDC provider + group-mapping CRUD.
 // =============================================================================

internal/api/handler/auth_session_oidc_test.go

@@ -193,8 +193,11 @@ func (s *stubSessionRepo) Revoke(_ context.Context, id string) error {
 	return nil
 }
 func (s *stubSessionRepo) RevokeAllForActor(_ context.Context, _, _, _ string) error { return nil }
-func (s *stubSessionRepo) GarbageCollectExpired(_ context.Context) (int, error)      { return 0, nil }
-func (s *stubSessionRepo) Delete(_ context.Context, _ string) error                  { return nil }
+func (s *stubSessionRepo) RevokeAllExceptForActor(_ context.Context, _, _, _, _ string) (int, error) {
+	return 0, nil
+}
+func (s *stubSessionRepo) GarbageCollectExpired(_ context.Context) (int, error) { return 0, nil }
+func (s *stubSessionRepo) Delete(_ context.Context, _ string) error             { return nil }
 
 // stubUserRepo implements just enough of repository.UserRepository for
 // the BCL sub→actor_id resolution path (CRIT-2 closure). Lookups by