feat(admin): add OAuth sessions to MCP Access panel

Show active OAuth sessions (first) and static API tokens (second) in
the admin MCP Access tab. Admins can revoke any OAuth session, which
immediately terminates the live MCP transport for that client.

- Add admin-level listOAuthSessions / revokeOAuthSession in adminService
- Add GET /admin/oauth-sessions and DELETE /admin/oauth-sessions/:id routes
- Restructure AdminMcpTokensPanel into two sections; rename tab to MCP Access
- Fix stale writeAudit call in rotate-jwt-secret route (user_id → userId)
- Add admin.oauthSessions.* i18n keys across all 14 locale files

server/src/routes/admin.ts

@@ -307,6 +307,25 @@ router.delete('/mcp-tokens/:id', (req: Request, res: Response) => {
   res.json({ success: true });
 });
 
+// ── OAuth Sessions ─────────────────────────────────────────────────────────
+
+router.get('/oauth-sessions', (_req: Request, res: Response) => {
+  res.json({ sessions: svc.listOAuthSessions() });
+});
+
+router.delete('/oauth-sessions/:id', (req: Request, res: Response) => {
+  const result = svc.revokeOAuthSession(req.params.id);
+  if ('error' in result) return res.status(result.status!).json({ error: result.error });
+  const authReq = req as AuthRequest;
+  writeAudit({
+    userId: authReq.user.id,
+    action: 'admin.oauth_session.revoke',
+    resource: String(req.params.id),
+    ip: getClientIp(req),
+  });
+  res.json({ success: true });
+});
+
 // ── JWT Rotation ───────────────────────────────────────────────────────────
 
 router.post('/rotate-jwt-secret', (req: Request, res: Response) => {
@@ -314,12 +333,8 @@ router.post('/rotate-jwt-secret', (req: Request, res: Response) => {
   if (result.error) return res.status(result.status!).json({ error: result.error });
   const authReq = req as AuthRequest;
   writeAudit({
-    user_id: authReq.user?.id ?? null,
-    username: authReq.user?.username ?? 'unknown',
+    userId: authReq.user.id,
     action: 'admin.rotate_jwt_secret',
-    target_type: 'system',
-    target_id: null,
-    details: null,
     ip: getClientIp(req),
   });
   res.json({ success: true });

server/src/services/adminService.ts

@@ -7,7 +7,7 @@ import { User, Addon } from '../types';
 import { updateJwtSecret } from '../config';
 import { maybe_encrypt_api_key, decrypt_api_key } from './apiKeyCrypto';
 import { getAllPermissions, savePermissions as savePerms, PERMISSION_ACTIONS } from './permissions';
-import { revokeUserSessions } from '../mcp';
+import { revokeUserSessions, revokeUserSessionsForClient } from '../mcp';
 import { validatePassword } from './passwordPolicy';
 import { getPhotoProviderConfig } from './memories/helpersService';
 import { send as sendNotification } from './notificationService';
@@ -603,6 +603,30 @@ export function deleteMcpToken(id: string) {
   return {};
 }
 
+// ── OAuth Sessions ─────────────────────────────────────────────────────────
+
+export function listOAuthSessions() {
+  const rows = db.prepare(`
+    SELECT ot.id, ot.client_id, oc.name AS client_name, ot.user_id, u.username,
+           ot.scopes, ot.access_token_expires_at, ot.refresh_token_expires_at, ot.created_at
+    FROM oauth_tokens ot
+    JOIN oauth_clients oc ON ot.client_id = oc.client_id
+    JOIN users u ON u.id = ot.user_id
+    WHERE ot.revoked_at IS NULL
+      AND ot.refresh_token_expires_at > CURRENT_TIMESTAMP
+    ORDER BY ot.created_at DESC
+  `).all() as (Record<string, unknown> & { scopes: string })[];
+  return rows.map(r => ({ ...r, scopes: JSON.parse(r.scopes) }));
+}
+
+export function revokeOAuthSession(id: string) {
+  const row = db.prepare('SELECT id, user_id, client_id FROM oauth_tokens WHERE id = ?').get(id) as { id: number; user_id: number; client_id: string } | undefined;
+  if (!row) return { error: 'Session not found', status: 404 };
+  db.prepare('UPDATE oauth_tokens SET revoked_at = CURRENT_TIMESTAMP WHERE id = ?').run(id);
+  revokeUserSessionsForClient(row.user_id, row.client_id);
+  return {};
+}
+
 // ── JWT Rotation ───────────────────────────────────────────────────────────
 
 export function rotateJwtSecret(): { error?: string; status?: number } {