fix: resolve medium/low audit findings across backend and frontend

- ctx CLI: validate int() limit arg, wrap FTS5 MATCH in try/except
- ctx.rs: FTS5 error message clarity, Mutex::lock() returns Err not panic
- sdk-messages.ts: runtime type guards (str/num) replace bare `as` casts
- agent-runner.ts: strip ANTHROPIC_* env vars alongside CLAUDE*
- agent-dispatcher.ts: timestamps use seconds (match session.rs convention)
- remote.rs: disconnect handler uses lock().await not try_lock()
- session.rs: propagate pane_ids serialization error
- watcher.rs: reject root-level paths instead of silent no-op
- lib.rs: log warnings on profile.toml read failure and resource_dir error
- agent-bridge.ts: validate event payload is object before cast

v2/src/lib/agent-dispatcher.ts

@@ -278,10 +278,11 @@ async function persistSessionForProject(sessionId: string): Promise<void> {
       input_tokens: session.inputTokens,
       output_tokens: session.outputTokens,
       last_prompt: session.prompt,
-      updated_at: Date.now(),
+      updated_at: Math.floor(Date.now() / 1000),
     });
 
-    // Save messages
+    // Save messages (use seconds to match session.rs convention)
+    const nowSecs = Math.floor(Date.now() / 1000);
     const records: AgentMessageRecord[] = session.messages.map((m, i) => ({
       id: i,
       session_id: sessionId,
@@ -290,7 +291,7 @@ async function persistSessionForProject(sessionId: string): Promise<void> {
       message_type: m.type,
       content: JSON.stringify(m.content),
       parent_id: m.parentId ?? null,
-      created_at: Date.now(),
+      created_at: nowSecs,
     }));
 
     if (records.length > 0) {