Use server-managed container session IDs

[xpcmdshell]

Summary

• make container sessions fully server-issued and server-owned
• remove client-side session ID generation and reject unknown/stale IDs on the server
• preserve executor/session dep exception behavior while keeping low-level client auth failures HTTP-native

What changed

• SessionClient now starts without a session ID, omits X-Session-ID until first /execute, caches the server-issued ID, and clears it on reset
• container server now creates sessions only when X-Session-ID is absent on /execute; unknown or stale IDs return 400 on /execute and /reset
• removed caller-supplied remote session ID support from the AutoGen remote helper
• dep-related client methods use raise_for_status(), while ContainerExecutor translates those HTTP errors back into RuntimeError to preserve the higher-level contract
• expanded container client/server/executor/auth tests around the new contract

Verification

• uv run pytest -n 0 tests/container/test_client.py tests/container/test_executor.py tests/container/test_server.py tests/container/test_container_auth.py
• live manual validation against a real session server:
  • positive path: first execute creates server session, subsequent execute reuses it, and Session.reset() gets a fresh session on next run
  • negative path: invented session IDs return 400 Invalid session ID
  • negative auth path: bad token on dep endpoint returns real 401 via raise_for_status()