style(honcho): hoist hashlib import; validate baseUrl scheme before 'local' sentinel

Two small follow-ups to the PR review:

- Hoist hashlib import from _enforce_session_id_limit() to module top.
  stdlib imports are free after first cache, but keeping all imports at
  module top matches the rest of the codebase.

- _resolve_api_key now URL-parses baseUrl and requires http/https +
  non-empty netloc before returning the 'local' sentinel.  A typo like
  baseUrl: 'true' (or bare 'localhost') no longer silently passes the
  credential guard; the CLI correctly reports 'not configured'.

Three new tests cover the new validation (garbage strings, non-http
schemes, valid https).

plugins/memory/honcho/client.py

@@ -16,6 +16,7 @@ from __future__ import annotations
 import json
 import os
 import logging
+import hashlib
 from dataclasses import dataclass, field
 from pathlib import Path
 
@@ -571,8 +572,6 @@ class HonchoClientConfig:
         if len(sanitized) <= max_len:
             return sanitized
 
-        import hashlib
-
         hash_len = cls._HONCHO_SESSION_ID_HASH_LEN
         digest = hashlib.sha256(original.encode("utf-8")).hexdigest()[:hash_len]
         # max_len - hash_len - 1 (for the '-' separator) chars of the sanitized