Slice A scope is only the new get_main_access_key_by_id helper and the
SessionConditions rewrite. Accidentally dropping the
target_main_access_key argument from delegate_endpoint_ownership
belongs to a later slice that also updates EndpointRow and the user
service; restoring the signature here so this PR builds standalone.

Rename UserPermission.user_uuid to owner_id and add main_access_key:
str | None. KernelRow.to_kernel_info populates the new field from the
eagerly-loaded user_row relationship; search_kernels now selectinload's
user_row so the scalar is available without N+1.

KernelRow.delegate_ownership drops its access_key argument (resolved
from the owner). recalc_concurrency_used switches from
KernelRow.access_key to a KernelRow.user_uuid subquery keyed by the
owner's main_access_key as a shim for the eventual access_key column
drop.

Test fixtures that construct UserPermission are updated.

Earlier the branch pulled test fixtures that also referenced later
slices' renames (SessionMetadata.owner_id, ScheduledSessionData
.main_access_key, SessionDataForPull/Start.main_access_key,
SessionData.owner_id). Revert those fixtures to main state and
re-apply only the UserPermission field renames (user_uuid -> owner_id,
access_key -> main_access_key) which are in this slice's scope.

Also update the two remaining live readers of UserPermission:
- sokovan/scheduler/fair_share/aggregator.py
- api/adapters/session.py (kernel_info_to_node)

And fix the SessionRow.delegate_ownership caller of
KernelRow.delegate_ownership to match the new single-argument signature.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Rename access_key -> main_access_key on sokovan data types
(SessionAllocation, PreparedSessionData, SessionDataForPull,
SessionDataForStart, SessionWorkload) and update every sokovan caller
accordingly. Affects:

- sokovan/data/{allocation,lifecycle,workload}.py
- sokovan/scheduler/handlers/lifecycle/*
- sokovan/scheduler/handlers/maintenance/sweep_sessions.py
- sokovan/scheduler/provisioner/{provisioner,sequencers,validators}/*
- sokovan/scheduler/launcher/launcher.py
- sokovan/scheduler/post_processors/cache_invalidation.py
- sokovan/scheduler/fair_share/aggregator.py
- sokovan/scheduling_controller/{preparers,scheduling_controller}.py
- sokovan/deployment/{executor,route}.py

No external behavior change.

- Drop ``owner_id`` from 21 read/control session action dataclasses;
  keep it only on ``create_from_template`` / ``create_from_params`` /
  ``create_cluster`` (the three delegation-capable creation paths).
- ``services/session/service.py``: add ``_requester_user_id()`` that
  pulls the caller's UUID from the ``current_user()`` context var,
  replacing 21 ``owner_id = action.owner_id`` sites.
- ``services/session/lifecycle.py``: inject ``UserRepository`` via the
  constructor instead of instantiating it internally.
- ``registry.py``: accept ``UserRepository`` and forward it into
  ``SessionLifecycleManager``.
- ``dependencies/agents/{registry,composer}.py``: wire the repository
  through the dependency graph.
- ``repositories/user/{repository,db_source/db_source}.py``: add
  ``get_main_access_key_by_id`` (renamed from ``_by_uuid``).
- Minor adapter/service touch-ups in ``services/export`` and
  ``repositories/model_serving``.

Clean up the ``changes/BA-5650-{D,E,F}.misc.md`` files that were
superseded when each slice's news fragment was renamed to the assigned
PR number (e.g. ``changes/11046.enhance.md``). These stragglers made it
onto downstream branches during the cascade rebases.

- Tests for SessionEnqueueData / KernelEnqueueData / TerminatingSessionData
  now use ``main_access_key`` and ``owner_id`` (renamed in slice F/G).
- ``SessionAdapter._session_data_to_node`` reads ``data.owner_id`` and
  drops the obsolete ``data.access_key``; the SessionMetadata GQL DTO's
  ``access_key`` field is now an empty string until the read-time
  resolver lands.
- ``cache_invalidation`` uses ``info.access_key`` (the field name on
  SessionTransitionInfo).
- ``ShutdownServiceAction``/``GetContainerLogsAction``/``RenameSessionAction``
  no longer accept ``owner_access_key``; drop the kwarg in the GQL adapter.
- ``ModelServingRepository.get_session_by_id`` drops the now-removed
  positional ``owner_access_key`` arg from ``SessionRow.get_session``.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Scheduler / predicates / scheduler-type collapse of the owner key:

- ``scheduler/predicates.py``: predicates now take SessionRow and
  resolve ``main_access_key`` from the owner via a helper when a
  keypair-scoped lookup (Redis concurrency, keypair resource policy)
  is required. Renames ``SessionRow.user_uuid`` references throughout.
- ``scheduler/drf.py``: per-user fairness tracking keyed by
  ``owner_id``/``main_access_key`` pair.
- ``repositories/scheduler/options.py``: drop the duplicated
  ``by_access_key_*`` factories — session filters go through
  ``SessionConditions`` helpers instead.
- ``repositories/scheduler/types/*``: rename ``access_key`` to
  ``main_access_key`` on ``ScheduledSessionData``,
  ``TerminatingSessionData``, ``SweptSessionInfo``, ``KernelEnqueueData``
  and ``SessionEnqueueData``.
- ``repositories/events/db_source/db_source.py`` and
  ``repositories/stream/db_source/db_source.py``: resolve the owner
  UUID from ``main_access_key`` via a sub-select shim while the schema
  still exposes ``sessions.access_key``.

REST v1 session endpoints no longer accept owner_access_key. The
delegation field is replaced with owner_id (user UUID) and is honored
only on the three session-creation endpoints
(create_from_template / create_from_params / create_cluster). Read and
control endpoints always act as the authenticated caller.

- common/dto/manager/session/request.py: drop the owner_access_key
  field from Create/Destroy/Restart/GetContainerLogs/GetStatusHistory
  request DTOs; add owner_id to the three creation DTOs.
- api/rest/session/handler.py: remove all 26 resolve_access_key_scope
  calls, drop the AuthProcessors dependency, and renumber log format
  placeholders that dropped the owner argument.
- api/rest/v2/session/handler.py: drop the redundant user_ctx /
  access_key arguments from shutdown_service / get_logs / update.
- api/adapters/session.py: update adapter call sites accordingly.
- api/rest/tree.py: drop the auth= argument from SessionHandler().

Test updates for the corresponding DTO assertions and component
fixtures are included.

- api/rest/session/handler.py: fix log format mismatches. The
  GET_OR_CREATE and CREAT_CLUSTER logs now include both the requester
  access_key and the resolved owner_id. The remaining
  SYNC_AGENT_REGISTRY / TRANSIT_STATUS / COMMIT_SESSION /
  CONVERT_SESSION_TO_IMAGE / GET_COMMIT_STATUS / GET_ABUSING_REPORT /
  GET_STATUS_HISTORY logs drop the redundant second ``/{}`` slot so
  the format string matches the provided arguments.
- tests/unit/common/dto/manager/session/test_request.py: replace the
  ``assert req is not None`` placeholders with asserts that verify
  ``owner_access_key`` no longer exists and the empty model_dump()
  shape; gives us a regression guard for the removed field.
- tests/component/session/test_session_create_delegation.py: rename
  the test / class docstring from ``owner_access_key`` to ``owner_id``
  so they describe the new delegation shape.

Removed TestRestartSessionRequest and TestGetStatusHistoryRequest which
only checked that owner_access_key was no longer present. Trivial
attribute checks add no value over the schema definition itself.

Also clean up unused imports for the removed test classes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

After collapsing service signatures and removing ``owner_access_key``
from action DTOs, propagate the rename to remaining call sites:

- Drop ``owner_access_key`` kwargs from session action constructors in
  service tests (MatchSessionsAction, GetStatusHistoryAction,
  DestroySessionAction, CompleteAction, GetSessionInfoAction,
  DownloadFilesAction, GetDirectAccessInfoAction, RenameSessionAction,
  GetContainerLogsAction, ListFilesAction, InterruptSessionAction).
- Rename ``user_uuid``/``access_key`` → ``owner_id`` (drop access_key)
  on ``SessionData`` constructions in tests.
- ``SessionTransitionInfo`` keeps ``access_key``; cache_invalidation
  reverted to ``info.access_key``.
- Terminator conftest now uses ``main_access_key`` for
  ``TerminatingSessionData``.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

- TerminatingSessionData uses ``main_access_key`` (was access_key) in
  test_terminate_sessions.
- SessionData fixture in test_session_adapter uses ``owner_id`` and
  drops the dropped ``access_key`` field.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

The cascading rebase pulled in stray files from a developer working
copy: tmp-vllm-model/, server.py, vllm.sh, model-definition.yaml,
docs/BA-5608-* and docs/model-deployment-zero-downtime.*, and the
scripts/ collection of one-off E2E scripts. None of these belong on
the release branch.

Removing them also unblocks ``pants tailor`` in CI, which had begun
suggesting BUILD additions for the orphan source tree.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>