fix: enforce authentication on sessions and system endpoints (P0 authz gates #1636 #1638 #1639)

[OneStepAt4time]

P0 Security Fix: Authentication Gates

Issues Fixed

• [security][P0] O0-1: GET /sessions missing authentication #1636: GET /v1/sessions/health missing authentication
• [security][P0] O0-2: Missing requireRole on session action handlers (send/escape/interrupt/command/bash) #1638: Missing requireRole on session handlers (send, escape, interrupt, command, bash)
• [security][P0] O0-3: System endpoints /v1/metrics /v1/diagnostics /v1/swarm /v1/alerts/stats have no authentication #1639: System endpoints missing authentication (metrics, diagnostics, swarm, alerts/stats)

Changes

1. Added explicit
   equireRole()\ guard to GET /v1/sessions/health endpoint
2. Verified all 5 session action handlers have requireRole enforcement:
   • POST /v1/sessions/:id/send ✓
   • POST /v1/sessions/:id/escape ✓
   • POST /v1/sessions/:id/interrupt ✓
   • POST /v1/sessions/:id/command ✓
   • POST /v1/sessions/:id/bash ✓
3. Verified all 4 system endpoints have requireRole enforcement:
   • GET /v1/metrics ✓
   • GET /v1/diagnostics ✓
   • GET /v1/swarm ✓
   • GET /v1/alerts/stats ✓

Testing

• npx tsc --noEmit ✓
• npm run build ✓
• npm test (2797 passed, 29 skipped) ✓

Aegis version

Developed with: v0.3.2-alpha