refactor: Apply code review improvements to v2.19.0

Implemented minor recommendations from code-reviewer agent:

1. Session ID Validation
   - Verified already correctly placed before restoration (line 758)
   - No changes needed

2. Comprehensive Orphan Detection
   - Added orphan detection for transports (lines 159-167)
   - Added orphan detection for servers (lines 169-176)
   - Prevents theoretical memory leaks from orphaned components
   - Added warning logs for orphaned transports
   - Added debug logs for orphaned servers

3. Rate Limiting Documentation
   - Added @security note to onSessionNotFound JSDoc
   - Warns about database lookup abuse prevention
   - Recommends express-rate-limit or similar middleware

All tests passing:
- ✅ 21/21 session management API tests
- ✅ 13/13 session persistence integration tests
- ✅ TypeScript type checking clean

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

src/http-server-single-session.ts

@@ -156,6 +156,25 @@ export class SingleSessionHTTPServer {
       }
     }
 
+    // Check for orphaned transports (transports without metadata)
+    for (const sessionId in this.transports) {
+      if (!this.sessionMetadata[sessionId]) {
+        logger.warn('Orphaned transport detected, cleaning up', { sessionId });
+        this.removeSession(sessionId, 'orphaned_transport').catch(err => {
+          logger.error('Error cleaning orphaned transport', { sessionId, error: err });
+        });
+      }
+    }
+
+    // Check for orphaned servers (servers without metadata)
+    for (const sessionId in this.servers) {
+      if (!this.sessionMetadata[sessionId]) {
+        logger.warn('Orphaned server detected, cleaning up', { sessionId });
+        delete this.servers[sessionId];
+        logger.debug('Cleaned orphaned server', { sessionId });
+      }
+    }
+
     // Remove expired sessions
     for (const sessionId of expiredSessions) {
       this.removeSession(sessionId, 'expired');