fix(csrf): prevent undefined token when session at max capacity

Root cause: generateToken() returned undefined when session already
had maxTokensPerSession (5) tokens, causing ERR_HTTP_INVALID_HEADER_VALUE.

Fix: Force generate token even when at capacity, ensuring we always
return a valid token string.

Related: v7.1.1 CLI process hang fix

ccw/src/core/auth/csrf-manager.ts

@@ -56,6 +56,26 @@ export class CsrfTokenManager {
    */
   generateToken(sessionId: string): string {
     const tokens = this.generateTokens(sessionId, 1);
+    // If no slots available (session at max capacity), force generate anyway
+    // This ensures we always return a valid token
+    if (tokens.length === 0) {
+      const token = randomBytes(32).toString('hex');
+      const expiresAtMs = Date.now() + this.tokenTtlMs;
+      const record: CsrfTokenRecord = {
+        sessionId,
+        expiresAtMs,
+        used: false,
+      };
+      // Get or create session map
+      let sessionMap = this.sessionTokens.get(sessionId);
+      if (!sessionMap) {
+        sessionMap = new Map();
+        this.sessionTokens.set(sessionId, sessionMap);
+      }
+      sessionMap.set(token, record);
+      this.tokenToSession.set(token, sessionId);
+      return token;
+    }
     return tokens[0];
   }