fix: validation hardening — agent import prompt limit, relay retry tracking, heartbeat validation

- agent_import: add system_prompt length validation (max 50K chars)
  to prevent excessive token consumption from imported configs
- relay retry_task: wrap JoinHandle to log abort on server shutdown
- device_heartbeat: validate device_id length (1-64 chars) matching
  register endpoint constraints

crates/zclaw-saas/src/account/handlers.rs

@@ -283,6 +283,11 @@ pub async fn device_heartbeat(
         .and_then(|v| v.as_str())
         .ok_or_else(|| SaasError::InvalidInput("缺少 device_id".into()))?;
 
+    // Validate device_id length (must match register endpoint constraints)
+    if device_id.is_empty() || device_id.len() > 64 {
+        return Err(SaasError::InvalidInput("device_id 长度必须在 1-64 个字符之间".into()));
+    }
+
     let now = chrono::Utc::now();
 
     // Also update platform/app_version if provided (supports client upgrades)