fix(tests): align 20 drifted tests with current source behavior

Tests fell behind source changes: lastTotpAt replay-attack prevention,
activeSession invalidation on password reset, select clauses in
permission updates, UNAUTHORIZED (anti-enumeration) for disabled TOTP,
and password minimum raised from 8 to 12 characters.

Also fix root eslint.config.mjs to ignore packages/ (linted via turbo)
and add --no-warn-ignored to lint-staged to suppress warnings for
ignored files.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/api/src/__tests__/assistant-tools-user-self-service-mfa-enable.test.ts

@@ -66,11 +66,18 @@ describe("assistant user self-service MFA tools - enable flow", () => {
 
     expect(db.user.findUnique).toHaveBeenCalledWith({
       where: { id: "user_1" },
-      select: { id: true, name: true, email: true, totpSecret: true, totpEnabled: true },
+      select: {
+        id: true,
+        name: true,
+        email: true,
+        totpSecret: true,
+        totpEnabled: true,
+        lastTotpAt: true,
+      },
     });
     expect(db.user.update).toHaveBeenCalledWith({
       where: { id: "user_1" },
-      data: { totpEnabled: true },
+      data: { totpEnabled: true, lastTotpAt: expect.any(Date) },
     });
     expect(db.auditLog.create).toHaveBeenCalledWith({
       data: expect.objectContaining({