feat(session): add typed session abstraction with in-memory store

[YimingIsCOLD]

🚀 Summary

Adds a typed session package providing per-request session state (ID, CSRF token, user, data map) backed by a pluggable Store interface, plus an in-memory implementation in session/memstore for development and tests. The Store.Commit contract requires a non-nil snap, non-empty snap.ID, and positive TTL; Prepare and Drop are permissive when id is empty.

✏️ Changes

• New server/internal/session package
  • Session type owns per-request state; not safe for concurrent use (single request goroutine).
  • Snapshot is the wire/storage form; Data map is shared with the producing/consuming Session.
  • New() returns an unauthenticated session with freshly generated ID and CSRF token (32-char base58).
  • SetUser rotates ID and CSRF token on the unauthenticated→authenticated transition (session fixation defence); auth→auth transitions leave them untouched.
  • Rotate regenerates ID and CSRF token while preserving user and data.
  • Store interface: Prepare (load), Commit (write with TTL), Drop (idempotent remove).
  • Store.Commit contract: rejects nil snap, empty snap.ID, and non-positive TTL. Prepare and Drop are permissive on empty id (return (nil, nil) / no-op).
  • The interface godoc is the authoritative contract; implementation methods use // X implements [session.Store.X] pointers.
• New server/internal/session/memstore package
  • Store is an in-process map-backed session.Store.
  • Lazy TTL eviction on the Prepare read path.
  • WithClock option for deterministic time control in tests.
  • sync.Mutex guards the entries map; TestStore_ConcurrentAccess exercises this under -race.
  • Commit enforces the validation contract with memstore: <constraint> errors.

🧪 Test plan

• go test -race ./server/internal/session/... — all green
• go vet ./server/internal/session/... — clean
• golangci-lint run ./server/internal/session/... — 0 issues