fix: 3 bugs fixed, stdin encoding hardened, 37 CI validator tests added

Bug fixes:
- utils.js: glob-to-regex conversion now escapes all regex special chars
  (+, ^, $, |, (), {}, [], \) before converting * and ? wildcards
- validate-hooks.js: escape sequence processing order corrected —
  \\\\ now processed before \\n and \\t to prevent double-processing
- 6 hooks: added process.stdin.setEncoding('utf8') to prevent
  multi-byte UTF-8 character corruption at chunk boundaries
  (check-console-log, post-edit-format, post-edit-typecheck,
  post-edit-console-warn, session-end, evaluate-session)

New tests (37):
- CI validator test suite (tests/ci/validators.test.js):
  - validate-agents: 9 tests (real project, frontmatter parsing,
    BOM/CRLF, colons in values, missing fields, non-md skip)
  - validate-hooks: 13 tests (real project, invalid JSON, invalid
    event types, missing fields, async/timeout validation, inline JS
    syntax, array commands, legacy format)
  - validate-skills: 6 tests (real project, missing SKILL.md, empty
    files, non-directory entries)
  - validate-commands: 5 tests (real project, empty files, non-md skip)
  - validate-rules: 4 tests (real project, empty files)

Total test count: 228 (up from 191)

scripts/ci/validate-hooks.js

@@ -42,7 +42,7 @@ function validateHookEntry(hook, label) {
     const nodeEMatch = hook.command.match(/^node -e "(.*)"$/s);
     if (nodeEMatch) {
       try {
-        new vm.Script(nodeEMatch[1].replace(/\\"/g, '"').replace(/\\n/g, '\n').replace(/\\t/g, '\t').replace(/\\\\/g, '\\'));
+        new vm.Script(nodeEMatch[1].replace(/\\\\/g, '\\').replace(/\\"/g, '"').replace(/\\n/g, '\n').replace(/\\t/g, '\t'));
       } catch (syntaxErr) {
         console.error(`ERROR: ${label} has invalid inline JS: ${syntaxErr.message}`);
         hasErrors = true;

scripts/hooks/check-console-log.js

@@ -28,6 +28,7 @@ const EXCLUDED_PATTERNS = [
 
 const MAX_STDIN = 1024 * 1024; // 1MB limit
 let data = '';
+process.stdin.setEncoding('utf8');
 
 process.stdin.on('data', chunk => {
   if (data.length < MAX_STDIN) {

scripts/hooks/evaluate-session.js

@@ -25,6 +25,7 @@ const {
 // Read hook input from stdin (Claude Code provides transcript_path via stdin JSON)
 const MAX_STDIN = 1024 * 1024;
 let stdinData = '';
+process.stdin.setEncoding('utf8');
 
 process.stdin.on('data', chunk => {
   if (stdinData.length < MAX_STDIN) {

scripts/hooks/post-edit-console-warn.js

@@ -13,6 +13,7 @@ const { readFile } = require('../lib/utils');
 
 const MAX_STDIN = 1024 * 1024; // 1MB limit
 let data = '';
+process.stdin.setEncoding('utf8');
 
 process.stdin.on('data', chunk => {
   if (data.length < MAX_STDIN) {

scripts/hooks/post-edit-format.js

@@ -12,6 +12,7 @@ const { execFileSync } = require('child_process');
 
 const MAX_STDIN = 1024 * 1024; // 1MB limit
 let data = '';
+process.stdin.setEncoding('utf8');
 
 process.stdin.on('data', chunk => {
   if (data.length < MAX_STDIN) {

scripts/hooks/post-edit-typecheck.js

@@ -15,6 +15,7 @@ const path = require('path');
 
 const MAX_STDIN = 1024 * 1024; // 1MB limit
 let data = '';
+process.stdin.setEncoding('utf8');
 
 process.stdin.on('data', chunk => {
   if (data.length < MAX_STDIN) {

scripts/hooks/session-end.js

@@ -88,6 +88,7 @@ function extractSessionSummary(transcriptPath) {
 // Read hook input from stdin (Claude Code provides transcript_path via stdin JSON)
 const MAX_STDIN = 1024 * 1024;
 let stdinData = '';
+process.stdin.setEncoding('utf8');
 
 process.stdin.on('data', chunk => {
   if (stdinData.length < MAX_STDIN) {

scripts/lib/utils.js

@@ -150,8 +150,10 @@ function findFiles(dir, pattern, options = {}) {
     return results;
   }
 
+  // Escape all regex special characters, then convert glob wildcards.
+  // Order matters: escape specials first, then convert * and ? to regex equivalents.
   const regexPattern = pattern
-    .replace(/\./g, '\\.')
+    .replace(/[.+^${}()|[\]\\]/g, '\\$&')
     .replace(/\*/g, '.*')
     .replace(/\?/g, '.');
   const regex = new RegExp(`^${regexPattern}$`);