Make `filter[client]` on `GET /api/admin/v1/oauth2-sessions` repeatable
so admin tooling can fetch sessions belonging to a set of clients in
one request. The field on `FilterParams` changes from `Option<Ulid>`
to `Vec<Ulid>`; the struct was already extracted with
`axum_extra::extract::Query` so the repeated values are not silently
dropped.
Each client ULID is validated to exist (mirroring the previous
single-client `404` behaviour) before being passed to the new
`OAuth2SessionFilter::for_clients` storage filter. The `Display`
impl used to reconstruct cursor links now emits one
`filter[client]=…` segment per client so pagination preserves the
filter. The OpenAPI schema is regenerated via `misc/update.sh` and
now describes the parameter as an array.
Adds `filter[has-active-compat-session]=true|false` to
`GET /api/admin/v1/users`. When `true` (resp. `false`), only users with
(resp. without) at least one active (non-finished) compatibility session
are returned.
Adds `filter[active-oauth2-client]` to `GET /api/admin/v1/users`. The
filter is a repeatable ULID query parameter; the semantics are OR across
the supplied clients (a user matches if they have an active OAuth2
session belonging to any of them).
Each supplied client ID is validated up front: a missing client returns
404 (mirroring the pattern in `oauth2-sessions/list`).
Unify the admin API, CLI, and GraphQL API in not having the unlock
command also reactivate, or the deactivate command also lock.
Still let the unlock command of the CLI and GraphQL API to also
reactivate the target user, albeit as a non-default option.
- Allow the admin API to deactivate a user without locking it, and to
unlock a user without reactivating it.
- Make unlock-and-reactivate flows unset the "deactivated_at" timestamp.
- Revert adding an "unlock" parameter on `ReactivateUserJob`, as the
option is used only by the admin API which doesn't use a job.