security: validate inbound X-Request-Id

[felixvippp-ai]

Closes #96.

Summary

• adds a sanitizeRequestId helper that only accepts caller-provided request IDs matching ^[A-Za-z0-9._-]{1,200}$
• preserves valid gateway IDs and replaces missing, empty, oversized, CRLF, or other control-character values with a fresh UUID
• documents the request ID policy in the README and covers header/error-body behavior with tests

Threat model note

Inbound X-Request-Id is echoed into response headers, structured logs, and error bodies. This change prevents CRLF/control-character injection from reaching those sinks while keeping the existing response shape unchanged.

Tests

• npm.cmd run build
• npm.cmd run lint
• $env:NODE_ENV='test'; node --test dist/request-id.test.js
• $env:NODE_ENV='test'; node --test dist/*.test.js dist/**/*.test.js

[mikewheeleer]

thanks for the effort here @felixvippp-ai! 🙏 issue #96 isn't assigned to you, and we merge from the assigned contributor to keep the campaign fair. please claim an open unassigned issue first, then open your PR. closing this one for now — hope to see it back 🙌