fix: 6 bugs fixed, 67 tests added for session-manager and session-aliases

Bug fixes:
- utils.js: prevent duplicate 'g' flag in countInFile regex construction
- validate-agents.js: handle CRLF line endings in frontmatter parsing
- validate-hooks.js: handle \t and \\ escape sequences in inline JS validation
- session-aliases.js: prevent NaN in date sort when timestamps are missing
- session-aliases.js: persist rollback on rename failure instead of silent loss
- session-manager.js: require absolute paths in getSessionStats to prevent
  content strings ending with .tmp from being treated as file paths

New tests (164 total, up from 97):
- session-manager.test.js: 27 tests covering parseSessionFilename,
  parseSessionMetadata, getSessionStats, CRUD operations, getSessionSize,
  getSessionTitle, edge cases (null input, non-existent files, directories)
- session-aliases.test.js: 40 tests covering loadAliases (corrupted JSON,
  invalid structure), setAlias (validation, reserved names), resolveAlias,
  listAliases (sort, search, limit), deleteAlias, renameAlias, updateAliasTitle,
  resolveSessionAlias, getAliasesForSession, cleanupAliases, atomic write

Also includes hook-generated improvements:
- utils.d.ts: document that readStdinJson never rejects
- session-aliases.d.ts: fix updateAliasTitle type to accept null
- package-manager.js: add try-catch to setProjectPackageManager writeFile

scripts/lib/session-manager.js

@@ -150,6 +150,7 @@ function getSessionStats(sessionPathOrContent) {
   // read from disk. Otherwise treat it as content.
   const content = (typeof sessionPathOrContent === 'string' &&
     !sessionPathOrContent.includes('\n') &&
+    sessionPathOrContent.startsWith('/') &&
     sessionPathOrContent.endsWith('.tmp'))
     ? getSessionContent(sessionPathOrContent)
     : sessionPathOrContent;