fix: isolate requests.Session per thread in HTTPFetchTransport

  Concurrent fetches shared a single requests.Session dict on the transport
  instance, causing 401 failures and auth header corruption under load (e.g.
  244/382 requests failing at fetch_concurrency=8 with cookie auth). Fix uses
  threading.local() so each worker thread gets its own session cache. A
  central registry (_all_thread_session_dicts) lets cleanup() close all
  sessions regardless of which thread created them. Adds a regression test
  verifying that concurrent calls to get_session() return distinct Session
  objects per thread.

Update Pipfile.lock

Author: mikedarcy