review: apply sanitizeSessionId to UUID shortId, fix test comment

- Route the transcript-derived shortId through sanitizeSessionId so the
  fallback and transcript branches remain byte-for-byte equivalent for any
  non-UUID session IDs that still land in CLAUDE_SESSION_ID (greptile P1).
- Clarify the inline comment in the first regression test: clearing
  CLAUDE_SESSION_ID exercises the transcript_path branch, not the
  getSessionIdShort() fallback (coderabbit P2).

Refs #1494

tests/hooks/hooks.test.js

@@ -651,8 +651,10 @@ async function runTests() {
         await runScript(path.join(scriptsDir, 'session-end.js'), stdinJson, {
           HOME: isoHome,
           USERPROFILE: isoHome,
-          // Explicitly clear CLAUDE_SESSION_ID so parent env does not leak in and
-          // force the getSessionIdShort() fallback instead of the transcript path.
+          // Clear CLAUDE_SESSION_ID so parent-process env does not leak into the
+          // child and the test deterministically exercises the transcript_path
+          // branch (getSessionIdShort() is the alternative path that is not
+          // exercised here).
           CLAUDE_SESSION_ID: ''
         });