Add UserRepository.get_main_access_key_by_id helper and rewrite SessionConditions.by_access_key_* filters to resolve the owner's main_access_key via a subquery. Groundwork for dropping the redundant sessions.access_key / kernels.access_key columns.