fix: address audit findings — session_id validation, streaming reset, state isolation

- Replace truncated 12-char UUID with full 32-char UUID (128-bit entropy)
- Add validate_session_id() regex check to prevent path traversal
- Add _check_session_id() guard on all 6 API endpoints
- Change _step_counter from module global to contextvars.ContextVar
- Filter None values from node_state before merging into agent_state
- Log save_session failures instead of silently swallowing them
- Add finishStreaming() in catch/finally blocks to prevent UI lockup
- Fix broken multiline docstring in chat() endpoint

frontend/src/App.vue

@@ -109,6 +109,11 @@ async function handleSend(text: string, files: File[]) {
   } catch (e: any) {
     chat.setError(e.message || '网络请求失败')
     chat.addMessage({ role: 'assistant', content: `请求失败: ${e.message}`, type: 'error' })
+    chat.finishStreaming({ status: '' })
+  } finally {
+    if (chat.streaming) {
+      chat.finishStreaming({ status: '' })
+    }
   }
 }
 </script>