fix: resolve medium/low audit findings across backend and frontend

- ctx CLI: validate int() limit arg, wrap FTS5 MATCH in try/except
- ctx.rs: FTS5 error message clarity, Mutex::lock() returns Err not panic
- sdk-messages.ts: runtime type guards (str/num) replace bare `as` casts
- agent-runner.ts: strip ANTHROPIC_* env vars alongside CLAUDE*
- agent-dispatcher.ts: timestamps use seconds (match session.rs convention)
- remote.rs: disconnect handler uses lock().await not try_lock()
- session.rs: propagate pane_ids serialization error
- watcher.rs: reject root-level paths instead of silent no-op
- lib.rs: log warnings on profile.toml read failure and resource_dir error
- agent-bridge.ts: validate event payload is object before cast

v2/src-tauri/src/session.rs

@@ -284,7 +284,8 @@ impl SessionDb {
 
     pub fn save_layout(&self, layout: &LayoutState) -> Result<(), String> {
         let conn = self.conn.lock().unwrap();
-        let pane_ids_json = serde_json::to_string(&layout.pane_ids).unwrap_or_default();
+        let pane_ids_json = serde_json::to_string(&layout.pane_ids)
+            .map_err(|e| format!("Serialize pane_ids failed: {e}"))?;
         conn.execute(
             "UPDATE layout_state SET preset = ?1, pane_ids = ?2 WHERE id = 1",
             params![layout.preset, pane_ids_json],