Harden API layer: encode session IDs and validate export payload

Session fetch (useSession.ts):
- Wrap the session ID in encodeURIComponent before interpolating
  into the fetch URL. Session IDs can contain characters like '+'
  or '/' that would corrupt the path without encoding.

Export route (export.ts):
- Add validation that redactedMessageUuids, when present, is an
  array. Previously only visibleMessageUuids was checked, so a
  malformed redactedMessageUuids value (e.g. a string or object)
  would silently pass validation and potentially cause downstream
  type errors in the HTML exporter.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

src/server/routes/export.ts

@@ -10,7 +10,9 @@ exportRouter.post("/", async (req, res) => {
     if (
       !exportReq?.session?.messages ||
       !Array.isArray(exportReq.session.messages) ||
-      !Array.isArray(exportReq.visibleMessageUuids)
+      !Array.isArray(exportReq.visibleMessageUuids) ||
+      (exportReq.redactedMessageUuids !== undefined &&
+        !Array.isArray(exportReq.redactedMessageUuids))
     ) {
       res.status(400).json({ error: "Invalid export request: missing session, messages, or visibleMessageUuids" });
       return;