feat(dashboard): GuruConnect v2 Sessions view (pass 2)

Active-sessions table with consent-state badges, viewer-token Join,
and disconnect, built on the v2 session API and existing UI primitives.

- Sessions table: machine, mode (managed/attended), consent badge
  (granted/pending+pulse/denied/not_required), viewers, started,
  duration, status. Sticky header, skeleton load, empty/error states.
- Join action mints a session-scoped viewer token
  (POST /api/sessions/:id/viewer-token) and reveals it with the
  /ws/viewer relay URL and copy buttons. The static viewer.html is
  intentionally not targeted: it sends the raw login JWT, which the v2
  viewer plane rejects. In-dashboard web viewer ships in a later pass.
- Authz split mirrors the server mint gate: admin or control permission
  gets Control; view permission gets View only; neither hides the action.
  Server remains authoritative; the minted token carries the signed
  access claim.
- Disconnect via confirm dialog (DELETE /api/sessions/:id), invalidates
  the sessions query. List polls every 8s so consent transitions surface.

Passed Code Review (no blockers) and local gates (tsc/lint/build green).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

dashboard/src/components/ui/status.ts

@@ -26,3 +26,23 @@ export function consentTone(state: string): StatusTone {
       return "neutral";
   }
 }
+
+/**
+ * Human label for an attended-consent state. Kept here next to `consentTone`
+ * so the color and the words for a given state never drift apart. `pending` is
+ * phrased as the active wait it represents (a tech is blocked on it).
+ */
+export function consentLabel(state: string): string {
+  switch (state) {
+    case "granted":
+      return "Granted";
+    case "pending":
+      return "Awaiting consent";
+    case "denied":
+      return "Denied";
+    case "not_required":
+      return "Not required";
+    default:
+      return state;
+  }
+}