Harden API layer: encode session IDs and validate export payload

Session fetch (useSession.ts):
- Wrap the session ID in encodeURIComponent before interpolating
  into the fetch URL. Session IDs can contain characters like '+'
  or '/' that would corrupt the path without encoding.

Export route (export.ts):
- Add validation that redactedMessageUuids, when present, is an
  array. Previously only visibleMessageUuids was checked, so a
  malformed redactedMessageUuids value (e.g. a string or object)
  would silently pass validation and potentially cause downstream
  type errors in the HTML exporter.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/client/hooks/useSession.ts

@@ -42,7 +42,7 @@ export function useSession(): SessionState {
     setSessionLoading(true);
     setSessionError(null);
     try {
-      const res = await fetch(`/api/sessions/${id}`);
+      const res = await fetch(`/api/sessions/${encodeURIComponent(id)}`);
       if (!res.ok) throw new Error(`HTTP ${res.status}`);
       const data = await res.json();
       setCurrentSession(data);

src/server/routes/export.ts

@@ -10,7 +10,9 @@ exportRouter.post("/", async (req, res) => {
     if (
       !exportReq?.session?.messages ||
       !Array.isArray(exportReq.session.messages) ||
-      !Array.isArray(exportReq.visibleMessageUuids)
+      !Array.isArray(exportReq.visibleMessageUuids) ||
+      (exportReq.redactedMessageUuids !== undefined &&
+        !Array.isArray(exportReq.redactedMessageUuids))
     ) {
       res.status(400).json({ error: "Invalid export request: missing session, messages, or visibleMessageUuids" });
       return;