fix: apply code review security and robustness fixes

- Add require_engineer_or_admin to POST/PUT/DELETE in target_lists.py (blocks viewers from write ops)
- Add require_engineer_or_admin to POST/PATCH in maintenance_schedules.py (blocks viewers from write ops)
- Add team ownership guard in batch_launch_sessions after active/published checks (Fix 2)
- Wrap scheduler.remove_job in try/except for SchedulerNotRunningError and JobLookupError (Fix 3)
- Recompute next_run_at when is_active flips to True, capturing was_active before update (Fix 4)
- Add optional batch_id and target_label fields to Session type; remove unsafe cast in MaintenanceFlowDetailPage.tsx (Fix 5)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

backend/app/api/endpoints/sessions.py

@@ -528,6 +528,9 @@ async def batch_launch_sessions(
     if tree.status == 'draft':
         raise HTTPException(status_code=400, detail="Cannot batch-launch a draft flow")
 
+    if not current_user.is_super_admin and tree.team_id != current_user.team_id:
+        raise HTTPException(status_code=403, detail="Access denied")
+
     if tree.tree_type != "maintenance":
         raise HTTPException(status_code=400, detail="Batch launch is only for maintenance flows")