sessions: persist to disk, prune, track client liveness, accept UE_LOGFMT (#1014)HEADmain

Branch started as a sessions-service overhaul (persistence, client liveness, UE_LOGFMT intake) and grew to pick up adjacent infrastructure work: an early-startup log backlog, a hardened `MemoryArena`, the `zen trace serve` viewer gaining a counter view + compact timeline + tabbed callsite panel, defensive fixes in the third-party `tourist` trace parser, a series of allocation reductions across the HTTP and compact-binary hot paths, and a new `zen sessions` CLI command tree.

## Sessions service

**Persistence.** Each session lives on disk under `<DataRoot>/sessions/<id>/` as `info.cb` (metadata) plus `log.bin` (length-prefixed CbObject log records). On startup the service scans that directory and loads prior sessions as ended sessions, preloading the tail of each log so historical views work after a restart. `SessionLog` is noexcept-constructed and falls back to a disabled state on disk errors, so a bad disk can't take down `RegisterSession`. `GetSession` falls back to the ended-sessions list (fixes historical log fetches over HTTP). `LoadTail` counts only successfully-parsed records.

**Pruning.** Periodic cleanup task drops ended sessions once any of three caps is exceeded: age (default 1 year), count (default 1000), or total on-disk footprint (default 50 MiB). Runs 30 s after startup, hourly thereafter. Active sessions never pruned; disk removal and directory stat happen outside the exclusive lock so a slow filesystem can't stall lookups.

**Client liveness.** Sessions carry a `ProcessHandle` for the client-reported pid, captured at registration time so Windows pid recycling can't produce false positives. A 30 s asio timer probes liveness and ends dead sessions through the normal remove path, producing a synthetic `Session ended: process exited (...)` line persisted to `log.bin`. Windows decodes common NTSTATUS exit codes to human names (Ctrl-C, access violation, stack overflow, ...); POSIX stays at plain `process exited`. Clients auto-fill `ClientPid` only for local targets (unix socket / loopback); the server defensively accepts pids only from `IsLocalMachineRequest()` peers. zenserver also reports its own pid when registering its self-session, so it shows up with a real pid in the dashboard and `zen sessions ls`.

**Synthetic end-of-session line.** `RemoveSession` takes an optional reason; before the session moves to the ended list it appends an Info-level `Session ended[: reason]` entry through the normal log path (released outside `m_Lock`). Current reasons: `client request` (HTTP DELETE), `server shutdown` (self-session), `process exited (...)` (liveness).

**UE_LOGFMT structured entries.** `POST /sessions/{id}/log` now accepts `{level, logger, format, fields}` alongside the existing `{level, logger, message}` shape. New `logtemplate.{h,cpp}` implements UE's `StructuredLog.cpp` template grammar (field paths with `.name` / `[N]`, `{{`/`}}` escapes, `$text` / `$format` / `$locformat` object conventions, bounded recursion). Renders to a displayable message at intake while persisting raw format + fields so a future UI can drill into fields without another schema bump. Hot path is zero-alloc — renders into `ExtendableStringBuilder<256>` using stack-buffered `Oid::ToString` / `IoHash::ToHexString` overloads. UI shows a `{…}` marker with the raw template + JSON-pretty fields on hover.

**Parent sessions.** `SessionInfo` gains `parent_session_id`; hub-managed storage server child processes inherit the hub's session id via `--parent-session=<id>`. `ZEN_SESSIONS_URL` env var becomes a fallback for `--sessions-url` / config when neither is provided. The in-process session log sink is disabled when a remote sessions target is configured (logs flow through `SessionsServiceClient` instead). The sessions UI groups child sessions under their parent (collapsible/expandable, sorts as a unit, supports nesting).

**Platform reporting.** `SessionInfo` gains `Platform`, flowed end-to-end: client auto-fills via `GetRuntimePlatformName()`, server persists in `info.cb` (`plat`) and emits on GET. UI renders as a SimpleIcons-style inline SVG (windows / macOS / iOS / linux / wine / android / playstation / xbox / nintendo) with case-insensitive alias resolution (Win32/Win64, PS4/PS5, XSX/XSS, NintendoSwitch, iPhone/iPad, Darwin/OSX). Unknown values fall back to text; sorting runs on the underlying string.

**WebSocket log streaming.** Sessions UI moves from 2 s polling to a WebSocket push model. New `WsSubscriber` has a stable id + helper methods. UI caps the log-line DOM at 5 000 entries with a shared cursor-regression helper, factored out of two call sites. Per-broadcast allocations trimmed on the push path; fixed a stack overrun in the WS log broadcast hex-id buffer.

**Log memory.** `LogEntry::Level` is now `logging::LogLevel` (1 byte) instead of `std::string` (~32 B) — saves ~310 KB per full 10 k-entry deque and eliminates a per-message allocation in the in-proc sink. On-disk format writes an int32 and accepts either int or legacy string on read. `LogEntry` strings now live in a `MemoryArena`; logger names are interned across the deque. `SessionLog::Append` and `WriteSessionInfoFile` drop their `UniqueBuffer` round-trip and write `CbObject::GetView()` straight through `BasicFile` / `SafeWriteFile`. Multi-entry `POST /log` batched under one lock + one push.

**In-proc log timestamps.** `InProcSessionLogSink::TimePointToDateTime` previously preserved only whole seconds, so every in-proc entry rendered at `.000` ms in the dashboard and `zen sessions tail`. It now adds the sub-second part (nanoseconds → 100 ns ticks) to keep ms precision end-to-end.

**UI.** Side "Session Details" panel is gone — its info is inline in the table (appname, mode, platform, id, timestamps, this/log pills, active dot). Bottom panel is a tabbed `Log | Metadata` view with a right-side "Session Information" panel beside metadata; log-only controls (filter, newest-first, follow, log-level filter, expand/collapse) hide when Metadata is active, polling keeps running across tab switches. Wide-mode toggle fills the viewport edge-to-edge. Log lines show the logger category; timestamps render in 24 h with zero-padded fields regardless of locale. Sessions list defaults to All / 10 per page / created-desc, gains click-to-sort headers on the full dataset, a header filter box, and a pager aligned to the table's right edge. Duplicate auto-injected `<h1>Sessions</h1>` removed.

## `zen sessions` CLI

New command tree on the `zen` client for inspecting the sessions service from the terminal:

- **`zen sessions ls`** — lists sessions (active first, ended next; newest-first within each group) with id, status, app/mode, pid, created, duration, and log count. Supports `--status active|ended|all` (default `all`).
- **`zen sessions status`** — prints the sessions service summary: self id, active / ended counts, and the read/write/delete/list/request/bad-request counters from `/stats/sessions`.
- **`zen sessions tail [session]`** — tails a session's log. With no argument it tails zenserver's own session (resolved via `/sessions/list`'s `self_id`); an explicit 24-hex id targets any session, including ended ones (historical replay). `--lines N` (default 50, 0 = all buffered) trims the initial dump client-side. `--follow` prefers a WebSocket push subscription on `/sessions/ws` for sub-second latency; on upgrade failure (older server, blocked port, unix-socket transport) it falls back to HTTP cursor polling at `--interval-ms` (default 500), with sleeps chunked to 50 ms so Ctrl-C reacts quickly. Output matches `zen::logging::FullFormatter` (`[YY-MM-DD HH:MM:SS.mmm] [lvl] [logger] message`); on a TTY the level is colored and the logger is bold, with continuation lines indented under the message column using the *visible* prefix width. 404 surfaces as `(session ended)` and connection errors as `(server gone)` — both clean exits, so stopping the server mid-tail no longer prints a stack trace.
- **`zen sessions ui`** — opens `<host>/dashboard/?page=sessions` in the user's default browser. Rejects unix-socket hosts.

A small `ZenServiceClient::IsUnixSocket()` helper now wraps the unix-socket check used by `ui`, `sessions tail` (WS path), and `sessions ui`.

## Logging

`BacklogSink` captures early-startup log entries in a fixed-capacity ring so late-attached sinks (session sink, file sink) can replay them. Detaches from the broadcast list when disabled; backed by destructor-only cleanup (no `unique_ptr` indirection per entry). Tuned defaults so the backlog covers typical bring-up without unbounded growth.

## `zen trace serve` viewer

- Compact timeline mode for high-density views.
- New `TRACE_INT_VALUE` / `TRACE_FLOAT_VALUE` counter trace points + a counters page in the viewer.
- Callsite tables collapsed into a single tabbed panel.
- Lossless `Oid <-> Guid` bridge for trace session ids; trace `SessionId` plumbed through.
- `tourist` parser hardening: bounds-check `BufferStream::read`, validate `Type::info_size` before `patch()`, convert `parse_important_aux` to a loop (avoids deep recursion), widen `ParserPool` index to `uint32`, bounds-check field offsets in the dispatcher, pin `Types::parse` buffer up-front.

## `MemoryArena`

Configurable chunk size, inline chunk list, oversize requests routed to truly-dedicated chunks (no slack waste, no fragmentation when one allocation is much larger than the chunk).

## Allocation cleanups across hot paths

- `zenhttp::HttpRequestRouter::HandleRequest` and `FormatPackageMessageInternal`: drop heap allocations.
- Compact-binary validation: `eastl::fixed_vector` + `eastl::sort`; eliminate `std::vector` churn.
- `zenserverprocess`: trim transient allocations in spawn paths.
- Sessions HTTP intake / broadcast: drop transient `std::string` allocs.

3 files changed, 79 insertions, 26 deletions

diff --git a/thirdparty/tourist/analysis/src/dispatcher.cpp b/thirdparty/tourist/analysis/src/dispatcher.cpp
index e7ea4a37e..a667b0c37 100644
--- a/thirdparty/tourist/analysis/src/dispatcher.cpp
+++ b/thirdparty/tourist/analysis/src/dispatcher.cpp
@@ -2,6 +2,8 @@
 #include <foundation/scheduler.h>
 #include <trace/trace.h>
 
+#include <constants.h>
+
 //------------------------------------------------------------------------------
 void Dispatcher::add_analyzer(Analyzer& analyzer)
 {
@@ -20,6 +22,12 @@ void Dispatcher::on_new_type(const Type* type)
         if (outline->hash != type_hash)
             continue;
 
+        // Sum of non-array field sizes — the byte length of event.data that
+        // scalar field reads index into.
+        uint32 event_size = 0;
+        for (uint32 i = 0, n = type->get_field_count(); i < n; ++i)
+            event_size += type->get_field(i).get_size();
+
         for (uint32 i = 0; i < type->get_field_count(); ++i)
         {
             auto [field_name, field] = type->get_field_info(i);
@@ -30,8 +38,23 @@ void Dispatcher::on_new_type(const Type* type)
                 if (f->hash != field_hash)
                     continue;
 
-                f->type_info = uint8(field.get_type_info());
-                f->offset = int16(field.get_offset());
+                uint32 type_info = field.get_type_info();
+                uint32 offset = field.get_offset();
+
+                // Scalar fields are read via event.data + offset. Validate the
+                // offset and element size against event_size so a malicious
+                // utrace can't make Outline::Field memcpy past the event
+                // payload. Array/string fields are read from aux and ignore
+                // offset.
+                if ((type_info & TYPE_INFO_CAT_ARRAY) == 0)
+                {
+                    uint32 element_size = 1u << (type_info & TYPE_INFO_SIZE_MASK);
+                    if (offset > event_size || element_size > event_size - offset)
+                        break;
+                }
+
+                f->type_info = uint8(type_info);
+                f->offset = int16(offset);
                 f->set = 1;
                 f->index = i;
                 break;
diff --git a/thirdparty/tourist/foundation/src/stream.cpp b/thirdparty/tourist/foundation/src/stream.cpp
index c560436d3..97d4cb395 100644
--- a/thirdparty/tourist/foundation/src/stream.cpp
+++ b/thirdparty/tourist/foundation/src/stream.cpp
@@ -2,6 +2,8 @@
 
 #include "slab.h"
 
+#include <stdexcept>
+
 //------------------------------------------------------------------------------
 BufferStream::BufferStream(Slab* slab, const uint8* ptr, uint32 size)
 : _ptr(ptr)
@@ -37,8 +39,11 @@ uint32 BufferStream::get_remaining() const
 //------------------------------------------------------------------------------
 const uint8* BufferStream::read(uint32 size)
 {
+    if (size > _end - _cursor)
+        throw std::runtime_error("BufferStream: read past end of buffer");
+    const uint8* ret = (uint8*)_ptr + _cursor;
     _cursor += size;
-    return (uint8*)_ptr + _cursor - size;
+    return ret;
 }
 
 //------------------------------------------------------------------------------
diff --git a/thirdparty/tourist/trace/src/protocol.cpp b/thirdparty/tourist/trace/src/protocol.cpp
index 5297048ec..38868a127 100644
--- a/thirdparty/tourist/trace/src/protocol.cpp
+++ b/thirdparty/tourist/trace/src/protocol.cpp
@@ -28,7 +28,27 @@ Tuple<uint32, TypeDesc> TypeDesc::parse(BufferStream& stream)
 
     uint32 info_size = stream.read<uint16>();
     const uint8* type_info = stream.read(info_size);
+
+    // Validate that the declared field count and name lengths actually fit
+    // within info_size before patch() walks _fields[] and writes to it.
+    if (info_size < sizeof(Type))
+        fatal("type info smaller than Type header");
+
     auto* type = (Type*)type_info;
+    uint32 field_count = type->get_field_count();
+    uint64 required = sizeof(Type);
+    required += uint64(field_count) * sizeof(Type::Field);
+    required += type->_logger_name_len;
+    required += type->_event_name_len;
+    if (required > info_size)
+        fatal("type info too small for declared fields");
+    for (uint32 i = 0; i < field_count; ++i)
+    {
+        required += type->_fields[i].name_size;
+        if (required > info_size)
+            fatal("type info too small for declared field names");
+    }
+
     type->patch();
 
     uint32 uid = type->get_uid();
@@ -69,6 +89,11 @@ private:
 //------------------------------------------------------------------------------
 void Types::parse(Buffer& buffer, Vector<const Type*>& new_types)
 {
+    // Pin the buffer up-front. TypeDesc::parse stores raw pointers into
+    // this buffer's slab in _descs; if a later type is malformed and
+    // throws, we still need the already-stored entries to remain valid.
+    _buffer_refs.push_back(buffer.create_ref());
+
     BufferStream stream = buffer.create_stream();
     do
     {
@@ -83,9 +108,6 @@ void Types::parse(Buffer& buffer, Vector<const Type*>& new_types)
         new_types.push_back(desc.type);
     }
     while (stream.has_data());
-
-    BufferRef buffer_ref = buffer.create_ref();
-    _buffer_refs.push_back(std::move(buffer_ref));
 }
 
 //------------------------------------------------------------------------------
@@ -466,22 +488,25 @@ void EventParser::parse_aux(const State& state)
 //------------------------------------------------------------------------------
 Serial EventParser::parse_important_aux(const State& state)
 {
-    uint32 uid = state.stream.read<uint8>();
-
-    if (uid == 1) // AuxData
+    while (true)
     {
-        parse_aux(state);
-        return parse_important_aux(state);
-    }
+        uint32 uid = state.stream.read<uint8>();
 
-    if (uid == 3) // AuxDataTerminal
-    {
-        _stage = -1;
-        return Serial(Serial::NO_SYNC);
-    }
+        if (uid == 1) // AuxData
+        {
+            parse_aux(state);
+            continue;
+        }
 
-    fatal("unsupported important sub-uid");
-    return Serial();
+        if (uid == 3) // AuxDataTerminal
+        {
+            _stage = -1;
+            return Serial(Serial::NO_SYNC);
+        }
+
+        fatal("unsupported important sub-uid");
+        return Serial();
+    }
 }
 
 
@@ -544,12 +569,12 @@ class ParserPool
 {
 public:
     EventParser&        get_parser(uint32 index);
-    uint16              alloc_parser();
+    uint32              alloc_parser();
     void                free_parser(uint32 index);
 
 private:
     Vector<EventParser> _parsers;
-    Vector<uint16>      _frees;
+    Vector<uint32>      _frees;
 };
 
 //------------------------------------------------------------------------------
@@ -559,15 +584,15 @@ EventParser& ParserPool::get_parser(uint32 index)
 }
 
 //------------------------------------------------------------------------------
-uint16 ParserPool::alloc_parser()
+uint32 ParserPool::alloc_parser()
 {
     if (_frees.empty())
     {
         _parsers.emplace_back();
-        return uint16(_parsers.size() - 1);
+        return uint32(_parsers.size() - 1);
     }
 
-    uint16 index = _frees.back();
+    uint32 index = _frees.back();
     _frees.pop_back();
     return index;
 }
@@ -576,7 +601,7 @@ uint16 ParserPool::alloc_parser()
 void ParserPool::free_parser(uint32 index)
 {
     _parsers[index] = EventParser();
-    _frees.push_back(uint16(index));
+    _frees.push_back(index);
 }
 
 
@@ -598,7 +623,7 @@ private:
     {
         Serial              serial;
         uint16              id;
-        uint16              parser_index;
+        uint32              parser_index;
         PacketNode*         head = nullptr;
         PacketNode*         tail = nullptr;
     };