[feature] Epic: Add governance and audit for automatic joins

[marwannettour]

Summary

Add governance, audit, and revocation capabilities for automatic trusted-device sessions.

This epic makes automatic sessions operable and defensible after the initial MVP by giving users visibility and control over which devices can join automatically.

Context

The security study calls out several risks: local compromise, key rotation, over-broad authorization, replay attempts, and insufficient revocation. Automatic session support should ship with enough visibility and control to avoid turning trusted devices into permanently privileged devices.

Proposed scope

• Add audit records for automatic grant creation, revocation, successful auto-join, and rejected auto-join.
• Display recent automatic join activity where useful.
• Provide manual revocation from UI and CLI surfaces.
• Define behavior for key rotation or public key mismatch.
• Add expiration visibility and renewal behavior.
• Make rejection reasons observable without leaking sensitive secrets.

Out of scope

• Enterprise SIEM integration.
• Hardware-backed key storage.
• PKI or MDM-backed enrollment.

Acceptance criteria

• Users can revoke automatic join authorization for a trusted client.
• Revoked clients cannot auto-join future sessions.
• Automatic join successes and rejections are logged with useful, non-sensitive reasons.
• Key mismatch or key rotation disables automatic authorization until revalidated.
• UI and CLI surfaces can show the current automatic-join authorization state.
• Tests cover revocation, expiration, key mismatch, and audit event creation.

Dependency

This can follow the MVP automatic session flow, but revocation and key mismatch handling should be considered before public release.