fix: path traversal in install.sh, error logging in hooks

- Validate language names in install.sh to prevent path traversal via
  malicious args like ../../etc (only allow [a-zA-Z0-9_-])
- Replace silent catch in check-console-log.js with stderr logging so
  hook failures are visible to the user for debugging
- Escape backticks in session-end.js user messages to prevent markdown
  structure corruption in session files

scripts/hooks/check-console-log.js

@@ -59,8 +59,8 @@ process.stdin.on('end', () => {
     if (hasConsole) {
       log('[Hook] Remove console.log statements before committing');
     }
-  } catch {
-    // Silently ignore errors (git might not be available, etc.)
+  } catch (err) {
+    log(`[Hook] check-console-log error: ${err.message}`);
   }
 
   // Always output the original data

scripts/hooks/session-end.js

@@ -157,10 +157,10 @@ ${summarySection}
 function buildSummarySection(summary) {
   let section = '## Session Summary\n\n';
 
-  // Tasks (from user messages)
+  // Tasks (from user messages — escape backticks to prevent markdown breaks)
   section += '### Tasks\n';
   for (const msg of summary.userMessages) {
-    section += `- ${msg}\n`;
+    section += `- ${msg.replace(/`/g, '\\`')}\n`;
   }
   section += '\n';