Create Session model (DB-backed auth sessions)

**Epic:** Auth

**Description**
Persist login sessions in the database to support login/logout and revocation.

**Acceptance criteria**

- Session belongs to a user
- Includes expires_at
- Default expiration policy decided (e.g. 30 days)
- Migration + schema committed