sdk.attach resolver can match non-Claude sessions with UUID-shaped IDs #225
Description
Problem
loadSessionHistory (and the directory scan it performs) does not filter by provider. When sdk.attach receives a UUID-shaped session ID, it passes isValidClaudeSessionId and calls loadSessionHistory, which searches all project directories regardless of provider.
This means a Codex (or other provider) session with a UUID-shaped ID could resolve to that provider's .jsonl file and be treated as valid Claude durable history, producing an incorrect sdk.session.snapshot.
This is pre-existing behavior (the brute-force scan has always been provider-agnostic), but was noted during review of #222 which adds a faster resolver path to the same logic.
Possible fix
Give WsHandler a Claude-restricted resolver (getFilePathForSession(id, 'claude')) while keeping the timeline service's resolver unrestricted (timeline serves all providers).
Impact
Low — requires a non-Claude provider to produce UUID-shaped session IDs that collide with the Claude session ID format, and the user would need to sdk.attach to that specific ID. Unlikely in practice but worth fixing for correctness.