Where you're logged in UI + session revocation

[tayebmokni]

Summary

Build the "Where you're logged in" UI per doc 06 §5.3. The admin page /me/sessions lists active sessions with device, browser, IP (CIDR-truncated for display: 203.0.113.0/24 shown, full IP on hover), last seen, current?, and a Revoke button. A "Log out everywhere" button revokes all sessions including the current one. Revoke = DEL session:<sid_hash> plus an insert into revoked_sessions for audit.

Design reference

• docs/06-auth-permissions.md §5.3 (Session metadata & "Where you're logged in")

Acceptance criteria

• GET /api/v1/me/sessions returns active sessions with device_label, browser, IP, last_seen_at, current_flag
• DELETE /api/v1/me/sessions/{id} revokes a single session
• DELETE /api/v1/me/sessions revokes all sessions for the user (including current); responds and instructs the client to clear cookie
• /me/sessions page in admin renders the list with the truncated-IP display and full-IP-on-hover behavior
• "Log out everywhere" confirmation modal before revoke-all
• Audit log entries for each revocation
• Capability gate: any authenticated user can revoke their own sessions

Dependencies

Depends on Session store, Users admin (linked from the profile Sessions tab).

Complexity

S

[tayebmokni]

Closing — shipped in the final-wave PR (#487-#492). Auto-close only fires for first ref.