Refactor session initialization in SessionRoutes to improve prompt handling

- Changed the order of operations in session initialization to first create/get the SDK session with the original prompt.
- Introduced a new step to clean the prompt of privacy tags after determining the session ID.
- Updated logging to reflect the new flow and ensure clarity on session creation and prompt number calculation.

src/services/worker/http/routes/SessionRoutes.ts

@@ -501,24 +501,27 @@ export class SessionRoutes extends BaseRouteHandler {
 
     const store = this.dbManager.getSessionStore();
 
-    // Step 1: Strip privacy tags from prompt BEFORE storing
-    // This prevents <private> content from being persisted to sdk_sessions.user_prompt
-    const cleanedPrompt = stripMemoryTagsFromPrompt(prompt);
+    // Step 1: Create/get SDK session (idempotent INSERT OR IGNORE)
+    const sessionDbId = store.createSDKSession(claudeSessionId, project, prompt);
 
-    // Step 2: Create/get SDK session with CLEANED prompt (idempotent INSERT OR IGNORE)
-    const sessionDbId = store.createSDKSession(claudeSessionId, project, cleanedPrompt);
+    logger.info('HTTP', 'SessionRoutes: createSDKSession returned', {
+      sessionDbId,
+      claudeSessionId
+    });
 
-    // Step 3: Get next prompt number from user_prompts count
+    // Step 2: Get next prompt number from user_prompts count
     const currentCount = store.getPromptNumberFromUserPrompts(claudeSessionId);
     const promptNumber = currentCount + 1;
 
-    logger.info('HTTP', 'SessionRoutes: Session initialization', {
+    logger.info('HTTP', 'SessionRoutes: Calculated promptNumber', {
       sessionDbId,
-      claudeSessionId,
       promptNumber,
       currentCount
     });
 
+    // Step 3: Strip privacy tags from prompt
+    const cleanedPrompt = stripMemoryTagsFromPrompt(prompt);
+
     // Step 4: Check if prompt is entirely private
     if (!cleanedPrompt || cleanedPrompt.trim() === '') {
       logger.debug('HOOK', 'Session init - prompt entirely private', {