OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset`

## Summary The `chat.send` path reused command authorization to trigger `/reset` session rotation even though direct session reset is an admin-only control-plane operation. ## Impact A write-scoped gateway caller could rotate a target session, archive the prior transcript state, and force a new session id without admin scope. ## Affected Component `src/gateway/server-methods/chat.ts, src/auto-reply/reply/session.ts` ## Fixed Versions - Affected: `<= 2026.3.24` - Patched: `>= 2026.3.28` - Latest stable `2026.3.28` contains the fix. ## Fix Fixed by commit `be00fcfccb` (`Gateway: align chat.send reset scope checks`).