No Progress Token Format Validation

[CyberSecDef]

Problem

Progress tokens are UUIDs generated by str(uuid.uuid4()), but no endpoint validates the format before lookup. A malformed token gets the misleading error "Novel generation not complete" instead of "Invalid token."

Files:

• novelforge/routes/generation/revision.py line 48
• novelforge/routes/generation/chapters.py (progress endpoints)
• novelforge/routes/export.py lines 108, 133, 546

Why It Matters

• Misleading error messages for malformed tokens
• Defence in depth against future code using token as filename/path
• Log noise from invalid tokens looking like real failures

Recommended Fix

_UUID_RE = re.compile(r'^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$')

def _is_valid_token(token: str) -> bool:
    return bool(token and _UUID_RE.match(token))