Summary

Replace the 4-hour sliding inactivity timeout with a deterministic session ID derived from sha256(machine_id + app_key + utc_date).

Problem

The current session mechanism uses a random ID with a 4-hour sliding window. This makes it impossible to accurately compute DAU/WAU/MAU server-side because:

• Sessions can span midnight and belong to multiple calendar days
• A user restarting the app gets a new random session ID, overcounting users
• Sessions are synthetic and don't map cleanly to "one user, one day"

Solution

• Use machine-uid crate to get a stable, cross-platform machine identifier
• Hash it with sha2 alongside the app key and UTC date to produce a deterministic session ID
• Same device + same app + same calendar day = same session ID, regardless of app restarts
• The raw machine ID never leaves the device — only the salted hash is sent
• Session rotates automatically at UTC midnight

Changes

• src/client.rs: Replaced new_session_id() (random) with create_session_id() (deterministic hash). Removed last_touch_ts sliding window. Session now tracks date and rotates when UTC date changes.
• Cargo.toml: Added machine-uid and sha2 dependencies.

Server-side impact

DAU = count of distinct sessionId values per calendar day. Each maps to exactly one device on exactly one day.