invalidate other sessions on password change

[fabracht]

Problem

When a user changes their password via POST /auth/password/change or $DB/_auth/password/change, all existing sessions remain valid until their 24h TTL expires. If a password was compromised and changed, the attacker's session continues working.

Current behavior

• Sessions are purely in-memory (HashMap<String, Session> in SessionStore)
• Only destroy(session_id) exists — no bulk invalidation by canonical_id
• Logout only destroys the current session, not other sessions for the same user

Proposed solution

1. Add destroy_others_by_canonical_id(canonical_id, keep_session_id) -> usize to SessionStore — follows the existing set_vault_unlocked_by_canonical_id pattern using HashMap::retain
2. HTTP handler: capture session ID from require_session (currently discarded), call new method after credential update
3. Revoke JTIs from destroyed sessions' JWTs so previously-issued MQTT tickets can't be reused
4. MQTT path: AdminContext has no reference to SessionStore — either thread Arc<SessionStore> through or accept that MQTT-based password changes don't invalidate HTTP sessions (MQTT clients aren't necessarily using HTTP sessions)

Scope

• crates/mqdb-agent/src/http/session_store.rs — new method
• crates/mqdb-agent/src/http/handlers.rs — call after successful password change
• Consider whether logout should also get a "logout all sessions" variant