fix(security): invalidate sessions on password change and remove hash from permission API responses

- setUserPassword and resetPassword now call activeSession.deleteMany after
  updating the passwordHash, so any pre-change sessions are immediately revoked
  (CWE-613 session fixation after credential change)
- setUserPermissions and resetUserPermissions now use explicit Prisma select to
  exclude passwordHash and totpSecret from the returned user object

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/api/src/router/user-procedure-support.ts

@@ -171,6 +171,10 @@ export async function setUserPassword(
     data: { passwordHash },
   });
 
+  // Invalidate all active sessions so any compromised session cannot be
+  // reused after the password is changed (CWE-613).
+  await ctx.db.activeSession.deleteMany({ where: { userId: input.userId } });
+
   audit({
     entityType: "User",
     entityId: user.id,
@@ -381,6 +385,7 @@ export async function setUserPermissions(
   const user = await ctx.db.user.update({
     where: { id: input.userId },
     data: { permissionOverrides: input.overrides ?? Prisma.DbNull },
+    select: { id: true, name: true, email: true, permissionOverrides: true },
   });
 
   audit({
@@ -414,6 +419,7 @@ export async function resetUserPermissions(
   const updated = await ctx.db.user.update({
     where: { id: input.userId },
     data: { permissionOverrides: Prisma.DbNull },
+    select: { id: true, name: true, email: true, permissionOverrides: true },
   });
 
   audit({