test(sessions): cover OwnerKeyId service-layer forwarding; doc 11-param ctor

Add LastOwnerKeyId capture to FakeSessionManager and assert it equals
"operator01" in OpenSession_WithValidRequest_ReturnsSessionDetails, closing
the gap where OwnerKeyId threading through the service layer had no test
coverage. Add a <remarks> to the 11-param GatewaySession convenience ctor
documenting that OwnerKeyId is null there and authenticated call sites must
use the 12-param overload.

src/ZB.MOM.WW.MxGateway.Tests/Gateway/Grpc/MxAccessGatewayServiceTests.cs

@@ -45,6 +45,7 @@ public sealed class MxAccessGatewayServiceTests
         Assert.Equal(ProtocolStatusCode.Ok, reply.ProtocolStatus.Code);
         Assert.Contains("unary-invoke", reply.Capabilities);
         Assert.Equal("Operator Key", sessionManager.LastClientIdentity);
+        Assert.Equal("operator01", sessionManager.LastOwnerKeyId);
         Assert.Equal("operator-session", sessionManager.LastOpenRequest?.ClientSessionName);
     }
 
@@ -508,6 +509,9 @@ public sealed class MxAccessGatewayServiceTests
         /// <summary>The last client identity passed to OpenSessionAsync.</summary>
         public string? LastClientIdentity { get; private set; }
 
+        /// <summary>The last owner key id passed to OpenSessionAsync.</summary>
+        public string? LastOwnerKeyId { get; private set; }
+
         /// <summary>The last session ID passed to ReadEventsAsync.</summary>
         public string? LastReadEventsSessionId { get; private set; }
 
@@ -550,6 +554,7 @@ public sealed class MxAccessGatewayServiceTests
         {
             LastOpenRequest = request;
             LastClientIdentity = clientIdentity;
+            LastOwnerKeyId = ownerKeyId;
 
             return Task.FromResult(OpenSessionResult ?? CreateSession("session-1", processId: 1234));
         }