fix: add input validation, date range checks, and security hardening

- validate-agents.js: reject invalid model names in agent frontmatter
- package-manager.js: validate script/binary names against shell injection
- session-manager.js: reject impossible month/day values in filenames
- utils.js: support options.all for replaceInFile string patterns
- strategic-compact/SKILL.md: fix hook matcher syntax and script reference
- install.sh: warn when overwriting existing rule customizations
- Add 24 new tests covering all validation and edge cases

scripts/ci/validate-agents.js

@@ -8,6 +8,7 @@ const path = require('path');
 
 const AGENTS_DIR = path.join(__dirname, '../../agents');
 const REQUIRED_FIELDS = ['model', 'tools'];
+const VALID_MODELS = ['haiku', 'sonnet', 'opus'];
 
 function extractFrontmatter(content) {
   // Strip BOM if present (UTF-8 BOM: \uFEFF)
@@ -62,6 +63,12 @@ function validateAgents() {
         hasErrors = true;
       }
     }
+
+    // Validate model is a known value
+    if (frontmatter.model && !VALID_MODELS.includes(frontmatter.model)) {
+      console.error(`ERROR: ${file} - Invalid model '${frontmatter.model}'. Must be one of: ${VALID_MODELS.join(', ')}`);
+      hasErrors = true;
+    }
   }
 
   if (hasErrors) {