fix: add auth guards, optimize refresh loop, and improve batch session tests

- Move mid-file pydantic/uuid imports to top of sessions.py
- Add can_access_tree, is_active, and draft status guards to batch_launch_sessions
- Remove notes field from _BatchTarget to keep API clean
- Add max_length=100 cap to targets list in _BatchLaunchRequest
- Hoist tree_snapshot computation above the session creation loop
- Replace N db.refresh() calls with a single bulk select after flush
- Add test_batch_launch_requires_auth and test_batch_launch_rejects_draft_tree tests
- Fix trailing slash on /api/v1/trees/ URL in new test (caused 307 redirect)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

backend/app/api/endpoints/sessions.py

@@ -1,8 +1,10 @@
 from datetime import datetime, timezone
 from typing import Annotated, Optional
 from uuid import UUID
+import uuid
 from fastapi import APIRouter, Depends, HTTPException, status, Query
 from fastapi.responses import PlainTextResponse
+from pydantic import BaseModel, Field as PydanticField
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select
 
@@ -489,18 +491,14 @@ async def save_session_as_tree(
 
 # ── Batch Launch (Maintenance Flows) ──────────────────────────────────────
 
-from pydantic import BaseModel, Field as PydanticField
-import uuid as uuid_mod
-
 
 class _BatchTarget(BaseModel):
     label: str = PydanticField(..., min_length=1, max_length=255)
-    notes: Optional[str] = None
 
 
 class _BatchLaunchRequest(BaseModel):
     tree_id: UUID
-    targets: list[_BatchTarget] = PydanticField(..., min_length=1)
+    targets: list[_BatchTarget] = PydanticField(..., min_length=1, max_length=100)
 
 
 class _BatchLaunchResponse(BaseModel):
@@ -520,19 +518,31 @@ async def batch_launch_sessions(
     tree = tree_result.scalar_one_or_none()
     if not tree:
         raise HTTPException(status_code=404, detail="Tree not found")
+
+    if not can_access_tree(current_user, tree):
+        raise HTTPException(status_code=403, detail="Access denied")
+
+    if not tree.is_active:
+        raise HTTPException(status_code=400, detail="Cannot batch-launch an inactive flow")
+
+    if tree.status == 'draft':
+        raise HTTPException(status_code=400, detail="Cannot batch-launch a draft flow")
+
     if tree.tree_type != "maintenance":
         raise HTTPException(status_code=400, detail="Batch launch is only for maintenance flows")
 
-    batch_id = uuid_mod.uuid4()
+    batch_id = uuid.uuid4()
     created_sessions = []
 
+    # Hoist snapshot computation out of the loop — same tree for all targets
+    tree_snapshot = {
+        **tree.tree_structure,
+        "name": tree.name,
+        "description": tree.description,
+        "tree_type": tree.tree_type,
+    }
+
     for target in data.targets:
-        tree_snapshot = {
-            **tree.tree_structure,
-            "name": tree.name,
-            "description": tree.description,
-            "tree_type": tree.tree_type,
-        }
         session = Session(
             tree_id=tree.id,
             user_id=current_user.id,
@@ -548,8 +558,9 @@ async def batch_launch_sessions(
         created_sessions.append(session)
 
     await db.flush()
-    for s in created_sessions:
-        await db.refresh(s)
+    session_ids = [s.id for s in created_sessions]
+    result = await db.execute(select(Session).where(Session.id.in_(session_ids)))
+    created_sessions = result.scalars().all()
     await db.commit()
 
     return _BatchLaunchResponse(