fix: address PR bot review comments

Critical fixes:
- Fix duplicated isPolling/pollLastTouched in events route (missing closing brace)
- Add missing path import to realtime.ts (path.basename was used without import)
- Fix error.message leak in sessions and beads/read routes (security)
- Add missing NextResponse import to activity route
- Fix diffDependencies to use composite key (type:target) for accurate tracking

Code quality:
- Fix beadCounts computation in kanban-controls (was counting epic's own deps, not child issues)
- Replace require('path') with ES module imports throughout

Tests: 13/15 passing (2 contract tests remain brittle)

Co-authored-by: openhands <openhands@all-hands.dev>

src/app/api/sessions/route.ts

@@ -1,4 +1,5 @@
 import { NextResponse } from 'next/server';
+import path from 'node:path';
 import { readIssuesFromDisk } from '../../../lib/read-issues';
 import { activityEventBus } from '../../../lib/realtime';
 import { buildSessionTaskFeed, getCommunicationSummary } from '../../../lib/agent-sessions';
@@ -7,8 +8,8 @@ function isValidProjectRoot(root: string): boolean {
   // Basic validation: path should not contain traversal patterns
   // and should resolve to an absolute path
   try {
-    const resolved = require('path').resolve(root);
-    return require('path').isAbsolute(resolved);
+    const resolved = path.resolve(root);
+    return path.isAbsolute(resolved);
   } catch {
     return false;
   }
@@ -42,8 +43,8 @@ export async function GET(request: Request): Promise<Response> {
       {
         ok: false,
         error: {
-          classification: 'unknown',
-          message: error instanceof Error ? error.message : 'Failed to load session feed.',
+          classification: 'internal_error',
+          message: 'An internal error occurred while loading the session feed.',
         },
       },
       { status: 500 },