Fix/ao api review followups

[dhyaneesh]

Summary

• add token-protected /api/ao/* endpoints for status, session listing, session detail, kill, and retry flows
• harden core session lifecycle handling for archived lookups, stale runtime/worktree cleanup, restore rollback, and ambiguous nested session prefixes
• align legacy /api/sessions* behavior with AO routes for auth handling, correlation-safe error responses, and fallback project normalization
• address follow-up review issues by narrowing missing-resource detection, switching API token checks to constant-time comparison, and removing redundant AO
  session serialization indirection

Test Plan

• HOME=/tmp pnpm --filter @composio/ao-core test -- src/__tests__/config-validation.test.ts src/__tests__/session-manager.test.ts
• HOME=/tmp pnpm --filter @composio/ao-core test -- src/__tests__/session-manager.test.ts
• pnpm --filter @composio/ao-core build
• pnpm --filter @composio/ao-web test -- src/__tests__/services.test.ts src/__tests__/api-routes.test.ts src/__tests__/api-ao.test.ts src/lib/__tests__/ serialize.test.ts src/lib/__tests__/api-auth.test.ts
• pnpm --filter @composio/ao-core typecheck
• pnpm --filter @composio/ao-web typecheck

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Null session triggers unnecessary sessionManager lookup for system events

Low Severity

When notifyHuman is called with session explicitly set to null (for system-level events like all-complete), the nullish coalescing operator ?? treats null as a trigger for the fallback sessionManager.get(event.sessionId). This causes an unnecessary sessionManager.get("system") call that iterates through all projects' metadata directories on disk. The caller's intent with null is "no session exists," but ?? doesn't distinguish null from undefined.