fix: address audit findings — session_id validation, streaming reset, state isolation

- Replace truncated 12-char UUID with full 32-char UUID (128-bit entropy)
- Add validate_session_id() regex check to prevent path traversal
- Add _check_session_id() guard on all 6 API endpoints
- Change _step_counter from module global to contextvars.ContextVar
- Filter None values from node_state before merging into agent_state
- Log save_session failures instead of silently swallowing them
- Add finishStreaming() in catch/finally blocks to prevent UI lockup
- Fix broken multiline docstring in chat() endpoint

tests/test_session.py

@@ -41,7 +41,7 @@ def temp_sessions_dir(monkeypatch):
 class TestCreateSession:
     def test_creates_with_defaults(self, temp_sessions_dir):
         s = create_session()
-        assert len(s["session_id"]) == 12
+        assert len(s["session_id"]) == 32
         assert "新建报表" in s["session_name"]
         assert s["created_at"]
         assert s["updated_at"]
@@ -139,7 +139,7 @@ class TestSaveSession:
         assert load_session(created["session_id"])["session_name"] == "原名"
 
     def test_fills_missing_created_at(self, temp_sessions_dir):
-        sid = "test_no_created"
+        sid = "aaaabbbbccccddddeeeeffff"
         fp = temp_sessions_dir / f"{sid}.json"
         fp.write_text(
             json.dumps({"session_id": sid, "session_name": "旧数据"}), "utf-8"