Add URL encoding for Redis credentials and safer error handling in sessions

[Copilot]

Addresses two robustness issues identified in code review:

1. URL-encode Redis credentials

Credentials containing URL-unsafe characters (@, :, /, ?, #) would break connection string parsing. Added percent-encoding using percent-encoding crate (already in dep tree):

// Before - fails with special chars
format!("{}:{}@", username, password)

// After
let encoded_user = utf8_percent_encode(u, NON_ALPHANUMERIC);
let encoded_pass = utf8_percent_encode(p, NON_ALPHANUMERIC);
format!("{}:{}@", encoded_user, encoded_pass)

2. Replace bare unwrap() with expect() in sessions.rs

Changed panic-on-None to include context about the invariant:

// Before
Ok(session_token.unwrap())

// After  
Ok(session_token.expect("session_token must be Some after creation or retrieval"))

While code flow guarantees Some, explicit message aids debugging if logic error introduced.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.