fix(admin): remove raw viewer session token exposure

[joelev]

Summary

Remove raw viewer bearer-token exposure from admin session analytics APIs by switching to a non-secret surrogate ID.

Beads

• bd-2ga

Problem

Admin session APIs were returning raw sessions.id values. Those IDs are the live site-auth bearer tokens, so exposure in analytics endpoints enables session hijacking by any authenticated admin.

Root Cause

Admin list/detail endpoints used sessions.id directly in both response payloads and detail lookup.

Changes

• api/admin/sessions.js
  • Replaced exposed id field with md5(s.id) AS id.
• api/admin/session.js
  • id query param is now validated as a 32-char hex surrogate.
  • Session lookup now uses WHERE md5(id) = $id.
  • Event lookup still uses the internal raw session ID server-side.
  • Response session object now returns only surrogate id (never raw bearer token).

Validation

• Deterministic smoke harness passed:
  • list endpoint query projects surrogate id and response does not leak raw token
  • detail endpoint resolves via surrogate id, uses internal raw id only for event query, and response does not leak raw token
• npm run build passes:
  • Built content/page.html (63624 bytes, 9 slides)

Risk

• Low to medium: admin clients that manually call /api/admin/session must now pass surrogate IDs from /api/admin/sessions, not raw bearer IDs.
• No change to viewer auth/session issuance logic.

Rollback

• Revert commit 23db8ee.

[joelev]

Reviewer checklist:\n\n1. Confirm no longer returns raw values.\n2. Confirm lookup is by surrogate ID (), not bearer token ID.\n3. Confirm detail response never includes raw bearer session ID.\n4. Confirm event lookup still resolves correctly server-side from internal raw session ID.

[joelev]

Reviewer checklist:

1. Confirm /api/admin/sessions no longer returns raw sessions.id values.
2. Confirm /api/admin/session lookup is by surrogate ID (md5(id)), not bearer-token ID.
3. Confirm detail response never includes raw bearer session ID.
4. Confirm event lookup still resolves correctly server-side from internal raw session ID.