fix(remote-control): harden self-hosted session flows (#278)

Co-authored-by: chengzifeng <chengzifeng@meituan.com>

packages/remote-control-server/src/routes/v1/session-ingress.ts

@@ -8,7 +8,7 @@ import {
   handleWebSocketClose,
   ingestBridgeMessage,
 } from "../../transport/ws-handler";
-import { getSession } from "../../services/session";
+import { getSession, resolveExistingSessionId } from "../../services/session";
 
 const { upgradeWebSocket, websocket } = createBunWebSocket();
 
@@ -43,7 +43,8 @@ function authenticateRequest(c: any, label: string, expectedSessionId?: string):
 
 /** POST /v2/session_ingress/session/:sessionId/events — HTTP POST (HybridTransport writes) */
 app.post("/session/:sessionId/events", async (c) => {
-  const sessionId = c.req.param("sessionId")!;
+  const requestedSessionId = c.req.param("sessionId")!;
+  const sessionId = resolveExistingSessionId(requestedSessionId) ?? requestedSessionId;
 
   if (!authenticateRequest(c, `POST session/${sessionId}`, sessionId)) {
     return c.json({ error: { type: "unauthorized", message: "Invalid auth" } }, 401);
@@ -71,7 +72,8 @@ app.post("/session/:sessionId/events", async (c) => {
 app.get(
   "/ws/:sessionId",
   upgradeWebSocket(async (c) => {
-    const sessionId = c.req.param("sessionId")!;
+    const requestedSessionId = c.req.param("sessionId")!;
+    const sessionId = resolveExistingSessionId(requestedSessionId) ?? requestedSessionId;
 
     if (!authenticateRequest(c, `WS ${sessionId}`, sessionId)) {
       return {