sandbox: unexpose, --ttl, and preview revocation lifecycle

[xiaods]

What to build

Lifecycle controls for preview ports (builds on #486): explicit teardown, custom expiry, and revocation on session GC. From KIP-12 (Part A).

API contract (from KIP-12):

rpc UnexposePort(UnexposePortRequest) returns (UnexposePortResponse);
message UnexposePortRequest  { string session_id = 1; int32 port = 2; }
message UnexposePortResponse { bool ok = 1; }

CLI: unexpose <sid> <port>. expose --ttl <seconds> overrides the default (session TTL). Session GC revokes outstanding preview tokens/routes for the destroyed session.

Acceptance criteria

• unexpose <sid> 8080 removes the Service + Ingress immediately; the URL then 403s
• expose --ttl 60 → URL returns 403 after 60s (expiry enforced at verify)
• session GC revokes any outstanding preview routes/tokens for the GC'd session
• re-expose of the same (sid, port) reuses the route and issues a fresh token
• test coverage for expiry + GC revocation

Blocked by

• sandbox: expose port with signed preview URL #486