fix: prevent query params leaking into typed session dict

[temrjan]

Summary

Fixes #845

When a session parameter is type-hinted as dict, query parameters from the request leak into the session, eventually causing the session cookie to exceed its size limit and get cleared on every request.

Root Cause

In _find_p, the check if anno is dict: return data (line 201) runs before the session name check on line 203. Since _find_ps merges query params into data via data |= dict(conn.query_params), returning data for session: dict includes all query parameters.

# Before (broken order):
if anno is dict: return data          # ← catches session: dict, returns contaminated data
if _is_body(anno):
    if 'session'.startswith(arg.lower()): return conn.scope.get('session', {})  # ← never reached

Fix

Move the session name check before anno is dict:

# After (correct order):
if 'session'.startswith(arg.lower()) and _is_body(anno): return conn.scope.get('session', {})
if anno is dict: return data
if _is_body(anno):
    return await _from_body(conn, p, data)

Test Plan

• Fixed test_get_toaster_with_typehint (was failing on main)
• Added test_session_dict_no_query_param_leak regression test
• All 6 tests pass

🤖 Generated with Claude Code