fix(agent): address CRITICAL/HIGH security and validation issues

- Fix SSE JSON injection: use json.dumps for safe serialization
- Add tool validation to dispatcher with allowlist
- Add field validation to tool_registry with proper error handling
- Add run_id consistency check (409 on mismatch)
- Add RunAgentInput constraints: min_length, extra=forbid
- Fix crewai_flow: use Field(default_factory), prefix unused params

backend/tests/integration/v1/agent/test_chat_routes.py

@@ -62,7 +62,7 @@ class TestChatRoutes:
     def test_resume_route_streams_sse_events(self, client: TestClient):
         payload = {
             "threadId": "t1",
-            "runId": "r2",
+            "runId": "r1",
             "state": {},
             "messages": [],
             "tools": [],