feat: implement 7 critical session persistence API fixes for production readiness

This commit implements all 7 critical fixes identified in the code review
to make the session persistence API production-ready for zero-downtime
container deployments in multi-tenant environments.

Fixes implemented:
1. Made instanceId optional in SessionState interface
2. Removed redundant validation, properly using validateInstanceContext()
3. Fixed race condition in MAX_SESSIONS check using real-time count
4. Added comprehensive security logging with logSecurityEvent() helper
5. Added duplicate session ID detection during export with Set tracking
6. Added date parsing validation with isNaN checks for Invalid Date objects
7. Restructured null checks for proper TypeScript type narrowing

Changes:
- src/types/session-state.ts: Made instanceId optional
- src/http-server-single-session.ts: Implemented all validation and security fixes
- tests/unit/http-server/session-persistence.test.ts: Fixed MAX_SESSIONS test

All 13 session persistence unit tests passing.
All 9 MCP engine session persistence tests passing.

Conceived by Romuald Członkowski - https://www.aiadvisors.pl/en

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

tests/unit/http-server/session-persistence.test.ts

@@ -429,8 +429,12 @@ describe('SingleSessionHTTPServer - Session Persistence', () => {
     it('should respect MAX_SESSIONS limit during restore', () => {
       // Create 99 existing sessions (MAX_SESSIONS is 100)
       const serverAny = server as any;
+      const now = new Date();
       for (let i = 0; i < 99; i++) {
-        serverAny.transports[`existing-${i}`] = {}; // Mock transport
+        serverAny.sessionMetadata[`existing-${i}`] = {
+          createdAt: now,
+          lastAccess: now
+        };
       }
 
       // Try to restore 3 sessions (should only restore 1 due to limit)