fix(security): Gemini API key header + Mutex safety + Agent validation

M1-01: Move Gemini API key from URL query param to x-goog-api-key header,
     preventing key leakage in logs/proxy/telemetry (matches Anthropic/OpenAI pattern)

M1-03/M1-04: Replace Mutex .unwrap() with .unwrap_or_else(|e| e.into_inner())
     in MemoryMiddleware and LoopGuardMiddleware — recovers from poison
     instead of panicking async runtime

M2-08: Add input validation to agent_create — reject empty names,
     out-of-range temperature (0-2), and zero max_tokens

M11-06: Replace Date.now() message ID with crypto.randomUUID()
     to prevent collisions in classroom chat

desktop/src-tauri/src/kernel_commands/agent.rs

@@ -73,6 +73,18 @@ pub async fn agent_create(
     state: State<'_, KernelState>,
     request: CreateAgentRequest,
 ) -> Result<CreateAgentResponse, String> {
+    // Input validation
+    let name_trimmed = request.name.trim();
+    if name_trimmed.is_empty() {
+        return Err("Agent name cannot be empty".to_string());
+    }
+    if request.temperature < 0.0 || request.temperature > 2.0 {
+        return Err(format!("Temperature must be between 0 and 2, got {}", request.temperature));
+    }
+    if request.max_tokens == 0 {
+        return Err("max_tokens must be greater than 0".to_string());
+    }
+
     let kernel_lock = state.lock().await;
 
     let kernel = kernel_lock.as_ref()

desktop/src/store/classroomStore.ts

@@ -173,7 +173,7 @@ export const useClassroomStore = create<ClassroomStore>()((set, get) => ({
 
     // Create a local user message for display
     const userMsg: ClassroomChatMessage = {
-      id: `user-${Date.now()}`,
+      id: `user-${crypto.randomUUID()}`,
       agentId: 'user',
       agentName: '你',
       agentAvatar: '👤',