Resolve Server-002, -004, -005, -006 code-review findings

Server-002: the gateway never terminated leftover MxGateway.Worker.exe
processes at startup, contradicting gateway.md and CLAUDE.md. Added
IRunningProcessInspector/SystemRunningProcessInspector, OrphanWorkerTerminator,
and OrphanWorkerCleanupHostedService (best-effort, runs before sessions are
accepted); updated gateway.md to describe the implemented behavior.

Server-004: API-key scopes were persisted verbatim with no validation. Added
GatewayScopes.All/IsKnown; the CLI parser and dashboard create path now
reject unknown scope strings.

Server-005: a non-SqlException/InvalidOperationException fault on the initial
Galaxy hierarchy load faulted the BackgroundService. ExecuteAsync now catches
all non-cancellation exceptions on first load and RefreshCoreAsync broadens
its catch so the cache records Stale/Unavailable instead.

Server-006: OpenSessionAsync incremented the open-sessions gauge before
alarm auto-subscribe; an auto-subscribe failure leaked the gauge. The catch
path now calls SessionRemoved() when the gauge was incremented.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/MxGateway.Server/Dashboard/DashboardApiKeyManagementService.cs

@@ -1,6 +1,7 @@
 using System.Security.Claims;
 using Microsoft.Data.Sqlite;
 using MxGateway.Server.Security.Authentication;
+using MxGateway.Server.Security.Authorization;
 
 namespace MxGateway.Server.Dashboard;
 
@@ -171,6 +172,15 @@ public sealed class DashboardApiKeyManagementService(
             return "Display name is required.";
         }
 
+        string[] unknownScopes = request.Scopes
+            .Where(scope => !GatewayScopes.IsKnown(scope))
+            .ToArray();
+        if (unknownScopes.Length > 0)
+        {
+            return $"Unknown scope(s): {string.Join(", ", unknownScopes)}. "
+                + $"Valid scopes are: {string.Join(", ", GatewayScopes.All)}.";
+        }
+
         return null;
     }