fix: Correct RBAC check ordering in PutSessionWorkspaceFile to prevent session enumeration

Moves session existence check to immediately after RBAC validation,
before service lookup. This prevents unauthorized users from
enumerating valid session names by observing different error responses.

Security improvement:
- RBAC check first (line 2568-2589)
- Session existence check second (line 2591-2602)
- Service lookup third (line 2604-2620)

This matches the pattern already implemented in DeleteSessionWorkspaceFile
and follows the security standards defined in CLAUDE.md.

Fixes the issue identified in PR review at sessions.go:2578-2591.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: sallyom

components/backend/handlers/sessions.go

@@ -2566,6 +2566,7 @@ func PutSessionWorkspaceFile(c *gin.Context) {
 	}
 
 	// RBAC check: verify user has update permission on agenticsessions (file operations modify session state)
+	// IMPORTANT: RBAC check MUST happen BEFORE checking session existence to prevent enumeration attacks
 	ssar := &authzv1.SelfSubjectAccessReview{
 		Spec: authzv1.SelfSubjectAccessReviewSpec{
 			ResourceAttributes: &authzv1.ResourceAttributes{
@@ -2587,6 +2588,19 @@ func PutSessionWorkspaceFile(c *gin.Context) {
 		return
 	}
 
+	// Verify session exists using reqDyn AFTER RBAC check
+	// This prevents enumeration attacks - unauthorized users get same "Forbidden" response
+	gvr := GetAgenticSessionV1Alpha1Resource()
+	item, err := reqDyn.Resource(gvr).Namespace(project).Get(c.Request.Context(), session, v1.GetOptions{})
+	if err != nil {
+		if errors.IsNotFound(err) {
+			c.JSON(http.StatusNotFound, gin.H{"error": "Session not found"})
+			return
+		}
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get session"})
+		return
+	}
+
 	// Try temp service first (for completed sessions), then regular service
 	serviceName := fmt.Sprintf("temp-content-%s", session)
 	serviceFound := false
@@ -2606,18 +2620,8 @@ func PutSessionWorkspaceFile(c *gin.Context) {
 	}
 
 	// If no service exists, request temp content pod and return accepted status
-	// reqDyn is guaranteed non-nil after auth check above
+	// We already have the session item from the existence check above
 	if !serviceFound {
-		gvr := GetAgenticSessionV1Alpha1Resource()
-		item, err := reqDyn.Resource(gvr).Namespace(project).Get(c.Request.Context(), session, v1.GetOptions{})
-		if err != nil {
-			if errors.IsNotFound(err) {
-				c.JSON(http.StatusNotFound, gin.H{"error": "Session not found"})
-				return
-			}
-			c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get session"})
-			return
-		}
 
 		// Check if temp content was already requested (avoid duplicate pod creation)
 		annotations := item.GetAnnotations()