review: apply sanitizeSessionId to UUID shortId, fix test comment

- Route the transcript-derived shortId through sanitizeSessionId so the
  fallback and transcript branches remain byte-for-byte equivalent for any
  non-UUID session IDs that still land in CLAUDE_SESSION_ID (greptile P1).
- Clarify the inline comment in the first regression test: clearing
  CLAUDE_SESSION_ID exercises the transcript_path branch, not the
  getSessionIdShort() fallback (coderabbit P2).

Refs #1494

scripts/hooks/session-end.js

@@ -16,6 +16,7 @@ const {
   getDateString,
   getTimeString,
   getSessionIdShort,
+  sanitizeSessionId,
   getProjectName,
   ensureDir,
   readFile,
@@ -202,7 +203,11 @@ async function main() {
   let shortId = null;
   if (transcriptPath) {
     const m = path.basename(transcriptPath).match(/([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})\.jsonl$/i);
-    if (m) { shortId = m[1].slice(-8).toLowerCase(); }
+    if (m) {
+      // Run through sanitizeSessionId() for byte-for-byte parity with
+      // getSessionIdShort(sessionId.slice(-8)).
+      shortId = sanitizeSessionId(m[1].slice(-8).toLowerCase());
+    }
   }
   if (!shortId) { shortId = getSessionIdShort(); }
   const sessionFile = path.join(sessionsDir, `${today}-${shortId}-session.tmp`);

tests/hooks/hooks.test.js

@@ -651,8 +651,10 @@ async function runTests() {
         await runScript(path.join(scriptsDir, 'session-end.js'), stdinJson, {
           HOME: isoHome,
           USERPROFILE: isoHome,
-          // Explicitly clear CLAUDE_SESSION_ID so parent env does not leak in and
-          // force the getSessionIdShort() fallback instead of the transcript path.
+          // Clear CLAUDE_SESSION_ID so parent-process env does not leak into the
+          // child and the test deterministically exercises the transcript_path
+          // branch (getSessionIdShort() is the alternative path that is not
+          // exercised here).
           CLAUDE_SESSION_ID: ''
         });