fix: sanitize FTS5 queries and close mirror DB connections

Two bugs fixed:

1. search_messages() crashes with OperationalError when user queries
   contain FTS5 special characters (+, ", (, {, dangling AND/OR, etc).
   Added _sanitize_fts5_query() to strip dangerous operators and a
   fallback try-except for edge cases.

2. _append_to_sqlite() in mirror.py creates a new SessionDB per call
   but never closes it, leaking SQLite connections. Added finally block
   to ensure db.close() is always called.

tests/gateway/test_mirror.py

@@ -160,3 +160,27 @@ class TestMirrorToSession:
             result = mirror_to_session("telegram", "123", "msg")
 
         assert result is False
+
+
+class TestAppendToSqlite:
+    def test_connection_is_closed_after_use(self, tmp_path):
+        """Verify _append_to_sqlite closes the SessionDB connection."""
+        from gateway.mirror import _append_to_sqlite
+        mock_db = MagicMock()
+
+        with patch("hermes_state.SessionDB", return_value=mock_db):
+            _append_to_sqlite("sess_1", {"role": "assistant", "content": "hello"})
+
+        mock_db.append_message.assert_called_once()
+        mock_db.close.assert_called_once()
+
+    def test_connection_closed_even_on_error(self, tmp_path):
+        """Verify connection is closed even when append_message raises."""
+        from gateway.mirror import _append_to_sqlite
+        mock_db = MagicMock()
+        mock_db.append_message.side_effect = Exception("db error")
+
+        with patch("hermes_state.SessionDB", return_value=mock_db):
+            _append_to_sqlite("sess_1", {"role": "assistant", "content": "hello"})
+
+        mock_db.close.assert_called_once()