Resolve Server-002, -004, -005, -006 code-review findings

Server-002: the gateway never terminated leftover MxGateway.Worker.exe
processes at startup, contradicting gateway.md and CLAUDE.md. Added
IRunningProcessInspector/SystemRunningProcessInspector, OrphanWorkerTerminator,
and OrphanWorkerCleanupHostedService (best-effort, runs before sessions are
accepted); updated gateway.md to describe the implemented behavior.

Server-004: API-key scopes were persisted verbatim with no validation. Added
GatewayScopes.All/IsKnown; the CLI parser and dashboard create path now
reject unknown scope strings.

Server-005: a non-SqlException/InvalidOperationException fault on the initial
Galaxy hierarchy load faulted the BackgroundService. ExecuteAsync now catches
all non-cancellation exceptions on first load and RefreshCoreAsync broadens
its catch so the cache records Stale/Unavailable instead.

Server-006: OpenSessionAsync incremented the open-sessions gauge before
alarm auto-subscribe; an auto-subscribe failure leaked the gauge. The catch
path now calls SessionRemoved() when the gauge was incremented.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/MxGateway.Server/Workers/WorkerServiceCollectionExtensions.cs

@@ -11,6 +11,13 @@ public static class WorkerServiceCollectionExtensions
         services.AddSingleton<IWorkerStartupProbe, WorkerProcessStartedProbe>();
         services.AddSingleton<IWorkerProcessLauncher, WorkerProcessLauncher>();
 
+        // Terminate workers leaked by a previous unclean gateway run before the
+        // server accepts sessions. Registered ahead of AddGatewaySessions so the
+        // cleanup hosted service starts before the session subsystem.
+        services.AddSingleton<IRunningProcessInspector, SystemRunningProcessInspector>();
+        services.AddSingleton<OrphanWorkerTerminator>();
+        services.AddHostedService<OrphanWorkerCleanupHostedService>();
+
         return services;
     }
 }