Session management improvements and dashboard API (#50101)

* fix: make cleanup "keep" persist subagent sessions indefinitely

* feat: expose subagent session metadata in sessions list

* fix: include status and timing in sessions_list tool

* fix: hide injected timestamp prefixes in chat ui

* feat: push session list updates over websocket

* feat: expose child subagent sessions in subagents list

* feat: add admin http endpoint to kill sessions

* Emit session.message websocket events for transcript updates

* Estimate session costs in sessions list

* Add direct session history HTTP and SSE endpoints

* Harden dashboard session events and history APIs

* Add session lifecycle gateway methods

* Add dashboard session API improvements

* Add dashboard session model and parent linkage support

* fix: tighten dashboard session API metadata

* Fix dashboard session cost metadata

* Persist accumulated session cost

* fix: stop followup queue drain cfg crash

* Fix dashboard session create and model metadata

* fix: stop guessing session model costs

* Gateway: cache OpenRouter pricing for configured models

* Gateway: add timeout session status

* Fix subagent spawn test config loading

* Gateway: preserve operator scopes without device identity

* Emit user message transcript events and deduplicate plugin warnings

* feat: emit sessions.changed lifecycle event on subagent spawn

Adds a session-lifecycle-events module (similar to transcript-events)
that emits create events when subagents are spawned. The gateway
server.impl.ts listens for these events and broadcasts sessions.changed
with reason=create to SSE subscribers, so dashboards can pick up new
subagent sessions without polling.

* Gateway: allow persistent dashboard orchestrator sessions

* fix: preserve operator scopes for token-authenticated backend clients

Backend clients (like agent-dashboard) that authenticate with a valid gateway
token but don't present a device identity were getting their scopes stripped.
The scope-clearing logic ran before checking the device identity decision,
so even when evaluateMissingDeviceIdentity returned 'allow' (because
roleCanSkipDeviceIdentity passed for token-authed operators), scopes were
already cleared.

Fix: also check decision.kind before clearing scopes, so token-authenticated
operators keep their requested scopes.

* Gateway: allow operator-token session kills

* Fix stale active subagent status after follow-up runs

* Fix dashboard image attachments in sessions send

* Fix completed session follow-up status updates

* feat: stream session tool events to operator UIs

* Add sessions.steer gateway coverage

* Persist subagent timing in session store

* Fix subagent session transcript event keys

* Fix active subagent session status in gateway

* bump session label max to 512

* Fix gateway send session reactivation

* fix: publish terminal session lifecycle state

* feat: change default session reset to effectively never

- Change DEFAULT_RESET_MODE from "daily" to "idle"
- Change DEFAULT_IDLE_MINUTES from 60 to 0 (0 = disabled/never)
- Allow idleMinutes=0 through normalization (don't clamp to 1)
- Treat idleMinutes=0 as "no idle expiry" in evaluateSessionFreshness
- Default behavior: mode "idle" + idleMinutes 0 = sessions never auto-reset
- Update test assertion for new default mode

* fix: prep session management followups (#50101) (thanks @clay-datacurve)

---------

Co-authored-by: Tyler Yust <TYTYYUST@YAHOO.COM>

src/gateway/session-transcript-key.ts

@@ -0,0 +1,96 @@
+import fs from "node:fs";
+import path from "node:path";
+import { loadConfig } from "../config/config.js";
+import type { SessionEntry } from "../config/sessions/types.js";
+import { normalizeAgentId } from "../routing/session-key.js";
+import {
+  loadCombinedSessionStoreForGateway,
+  resolveGatewaySessionStoreTarget,
+  resolveSessionTranscriptCandidates,
+} from "./session-utils.js";
+
+const TRANSCRIPT_SESSION_KEY_CACHE = new Map<string, string>();
+
+function resolveTranscriptPathForComparison(value: string | undefined): string | undefined {
+  const trimmed = value?.trim();
+  if (!trimmed) {
+    return undefined;
+  }
+  const resolved = path.resolve(trimmed);
+  try {
+    return fs.realpathSync(resolved);
+  } catch {
+    return resolved;
+  }
+}
+
+function sessionKeyMatchesTranscriptPath(params: {
+  cfg: ReturnType<typeof loadConfig>;
+  store: Record<string, SessionEntry>;
+  key: string;
+  targetPath: string;
+}): boolean {
+  const entry = params.store[params.key];
+  if (!entry?.sessionId) {
+    return false;
+  }
+  const target = resolveGatewaySessionStoreTarget({
+    cfg: params.cfg,
+    key: params.key,
+    scanLegacyKeys: false,
+    store: params.store,
+  });
+  const sessionAgentId = normalizeAgentId(target.agentId);
+  return resolveSessionTranscriptCandidates(
+    entry.sessionId,
+    target.storePath,
+    entry.sessionFile,
+    sessionAgentId,
+  ).some((candidate) => resolveTranscriptPathForComparison(candidate) === params.targetPath);
+}
+
+export function clearSessionTranscriptKeyCacheForTests(): void {
+  TRANSCRIPT_SESSION_KEY_CACHE.clear();
+}
+
+export function resolveSessionKeyForTranscriptFile(sessionFile: string): string | undefined {
+  const targetPath = resolveTranscriptPathForComparison(sessionFile);
+  if (!targetPath) {
+    return undefined;
+  }
+  const cfg = loadConfig();
+  const { store } = loadCombinedSessionStoreForGateway(cfg);
+
+  const cachedKey = TRANSCRIPT_SESSION_KEY_CACHE.get(targetPath);
+  if (
+    cachedKey &&
+    sessionKeyMatchesTranscriptPath({
+      cfg,
+      store,
+      key: cachedKey,
+      targetPath,
+    })
+  ) {
+    return cachedKey;
+  }
+
+  for (const [key, entry] of Object.entries(store)) {
+    if (!entry?.sessionId || key === cachedKey) {
+      continue;
+    }
+    if (
+      sessionKeyMatchesTranscriptPath({
+        cfg,
+        store,
+        key,
+        targetPath,
+      })
+    ) {
+      TRANSCRIPT_SESSION_KEY_CACHE.set(targetPath, key);
+      return key;
+    }
+  }
+
+  TRANSCRIPT_SESSION_KEY_CACHE.delete(targetPath);
+  return undefined;
+}