feat(shared): make session token expiry configurable from auth-server config

[sreecharan-desu]

Because

• SessionToken expiry filtering used a hardcoded 28-day value with an open FIXME to make it configurable.
• Auth-server already defines tokenLifetimes.sessionTokenWithoutDevice; the shared model should respect that setting.

This pull request

• Set SessionToken.sessionExpiryMs from auth-server config during DB initialization.
• Add unit tests for session token expiry filtering logic in fxa-shared.

Issue that this pull request solves

Closes: (none — addresses FIXME in session-token.ts; split from #19940 per maintainer feedback)

Checklist

• My commit is GPG signed.
• If applicable, I have modified or added tests which pass locally.
• I have added necessary documentation (if appropriate).
• I have verified that my changes render correctly in RTL (if appropriate). — N/A
• I have manually reviewed all AI generated code.

How to review (Optional)

• Key files/areas to focus on:
  • packages/fxa-auth-server/lib/db.ts (config wiring)
  • packages/fxa-shared/db/models/auth/session-token.ts (static expiry property)
  • packages/fxa-shared/test/db/models/auth/session-token.spec.ts (new tests)
• Suggested review order: model change → db wiring → unit tests
• Risky or complex parts: default 28-day fallback when config value is unset

Test plan

• yarn test fxa-shared — session-token unit tests pass
• Auth-server starts and session token pruning respects configured expiry

[sreecharan-desu]

Split from #19940 per earlier review feedback from @dschom — session expiry unhardcoding only. Would appreciate a re-review when you have time.