fix(mam-api): requireAuth — stamp last_seen_at after user confirmation

Code-review feedback: writing last_seen_at = now before loadUser() lets
the stamp persist if the lookup throws (resave:false still writes when
modified), extending the idle window without confirming the user exists.
Also clarify DEV_USER_ID is a specific placeholder, not a generic sentinel.

services/mam-api/src/middleware/auth.js

@@ -2,6 +2,7 @@ import pool from '../db/pool.js';
 import { parseBearer, hashToken } from '../auth/tokens.js';
 
 // Stable UUID matching migration 023's seeded dev user.
+/** UUID of the seeded dev-mode placeholder. NOT a sentinel for "any unauthenticated user". */
 export const DEV_USER_ID = '00000000-0000-4000-8000-000000000dev';
 export const DEV_USER    = { id: DEV_USER_ID, username: 'dev', display_name: 'Dev (AUTH_ENABLED=false)' };
 
@@ -35,9 +36,9 @@ export async function requireAuth(req, res, next) {
     const last  = req.session.last_seen_at  || 0;
     if (now - first > ABSOLUTE_MS) return destroyAnd401(req, res);
     if (now - last  > IDLE_MS)     return destroyAnd401(req, res);
-    req.session.last_seen_at = now;
     const u = await loadUser(req.session.user_id);
     if (!u) return destroyAnd401(req, res);
+    req.session.last_seen_at = now;   // stamp only after user is confirmed; avoids extending idle window if loadUser throws or the user was deleted
     req.user = u;
     return next();
   }