fix(tests): align 20 drifted tests with current source behavior

Tests fell behind source changes: lastTotpAt replay-attack prevention,
activeSession invalidation on password reset, select clauses in
permission updates, UNAUTHORIZED (anti-enumeration) for disabled TOTP,
and password minimum raised from 8 to 12 characters.

Also fix root eslint.config.mjs to ignore packages/ (linted via turbo)
and add --no-warn-ignored to lint-staged to suppress warnings for
ignored files.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/api/src/__tests__/assistant-tools-user-admin-user-create-errors.test.ts

@@ -38,14 +38,16 @@ describe("assistant user admin tools user create errors", () => {
       JSON.stringify({
         email: "peter.parker@example.com",
         name: "Peter Parker",
-        password: "secret123",
+        password: "SecurePass123!",
       }),
       ctx,
     );
 
-    expect(JSON.parse(result.content)).toEqual(expect.objectContaining({
-      error: "User with this email already exists.",
-    }));
+    expect(JSON.parse(result.content)).toEqual(
+      expect.objectContaining({
+        error: "User with this email already exists.",
+      }),
+    );
   });
 
   it("returns a stable error when creating a user without a name", async () => {
@@ -63,14 +65,16 @@ describe("assistant user admin tools user create errors", () => {
       JSON.stringify({
         email: "miles.morales@example.com",
         name: "",
-        password: "secret123",
+        password: "SecurePass123!",
       }),
       ctx,
     );
 
-    expect(JSON.parse(result.content)).toEqual(expect.objectContaining({
-      error: "Name is required.",
-    }));
+    expect(JSON.parse(result.content)).toEqual(
+      expect.objectContaining({
+        error: "Name is required.",
+      }),
+    );
     expect(ctx.db.user.findUnique).not.toHaveBeenCalled();
   });
 
@@ -94,9 +98,11 @@ describe("assistant user admin tools user create errors", () => {
       ctx,
     );
 
-    expect(JSON.parse(result.content)).toEqual(expect.objectContaining({
-      error: "Password must be at least 8 characters.",
-    }));
+    expect(JSON.parse(result.content)).toEqual(
+      expect.objectContaining({
+        error: "Password must be at least 12 characters.",
+      }),
+    );
     expect(ctx.db.user.findUnique).not.toHaveBeenCalled();
   });
 });