fix: scope session_start() skip to machine-agent calls only

agent/list and agent/status are browser-facing and need $_SESSION loaded
to verify auth. Only skip session_start() for machine-agent sub-actions
(heartbeat, metrics, ha_state, command_result, register) that fire every
10-30s. Previous fix skipped session for all agent/* causing the agents
panel to return 401 to the browser.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

public_html/api.php

@@ -8,11 +8,21 @@ require_once __DIR__ . '/../api/config.php';
 require_once __DIR__ . '/../api/lib/db.php';
 require_once __DIR__ . '/../api/lib/kb_engine.php';
 
-// Skip session for agent/netscan/ping — each heartbeat would otherwise create
-// an empty session file, producing millions of files that slow session GC for all requests.
+// Skip session for machine-agent calls and netscan/ping — each heartbeat would
+// otherwise create an empty session file, producing millions of files that slow
+// session GC for all requests.  Browser-facing agent sub-actions (list/status/myip)
+// still need a session to verify auth, so we only skip for machine-agent actions.
 $_earlyParts = explode('/', trim(parse_url($_SERVER['REQUEST_URI'] ?? '/', PHP_URL_PATH), '/'));
 if (($_earlyParts[0] ?? '') === 'api') array_shift($_earlyParts);
-if (!in_array($_earlyParts[0] ?? '', ['agent','netscan','ping'], true)) {
+$_e0 = $_earlyParts[0] ?? '';
+$_e1 = $_earlyParts[1] ?? '';
+$_skipSession = match(true) {
+    $_e0 === 'ping'    => true,
+    $_e0 === 'netscan' => true,
+    $_e0 === 'agent' && !in_array($_e1, ['list','status','myip'], true) => true,
+    default => false,
+};
+if (!$_skipSession) {
     session_start();
 }