Security + correctness fix for archive cleanup:
- Symlink guards: archive_root, session dirs, and listing paths all skip symlinks to prevent symlink-swap deletion attacks
- shutil.rmtree: replaces manual unlink loop so nested subdirectories are properly cleaned (bug reported by @danikdanik in #39)
- Python 3.9 safe: uses os.lstat() instead of stat(follow_symlinks=False) which requires 3.10+
- Pre-existing fix: hardened the same pattern in measure.py's archive_cleanup() which already had unguarded rmtree
Thanks @danikdanik for reporting the nested directory cleanup bug!