fix(opencode): expose permission on session update route and expand patterns

[jquense]

Issue for this PR

Closes #15116
Fixes #10212
Fixes #5965

Type of change

• Bug fix
• New feature
• Refactor / code improvement
• Documentation

What does this PR do?

PATCH /session/{sessionID} doesn't accept a permission field, even though POST /session does. This adds it, and also runs expandRuleset (resolves ~/ and $HOME in patterns) in both the create and update route handlers. Without this, permission patterns passed via the API with ~/ or $HOME are stored literally and never match — unlike patterns from opencode.jsonc which go through fromConfig and get expanded.

Changes:

• Added permission to the PATCH session route validator and handler
• Exported expandRuleset() from PermissionNext
• Both POST and PATCH session handlers now expand patterns before storing
• Regenerated SDK v2 types

How did you verify your code works?

• tsgo --noEmit passes
• Wrote a test script against a local dev server that creates and updates sessions with ~/ and $HOME patterns, confirmed they are expanded to the absolute home directory path
• Confirmed generated SessionUpdateData type includes permission?: PermissionRuleset

Screenshots / recordings

N/A — no UI changes

Checklist

• I have tested my changes locally
• I have not included unrelated changes in this PR

[github-actions]

Thanks for updating your PR! It now meets our contributing guidelines. 👍