fix: add input validation, date range checks, and security hardening

- validate-agents.js: reject invalid model names in agent frontmatter
- package-manager.js: validate script/binary names against shell injection
- session-manager.js: reject impossible month/day values in filenames
- utils.js: support options.all for replaceInFile string patterns
- strategic-compact/SKILL.md: fix hook matcher syntax and script reference
- install.sh: warn when overwriting existing rule customizations
- Add 24 new tests covering all validation and edge cases

scripts/lib/session-manager.js

@@ -31,6 +31,11 @@ function parseSessionFilename(filename) {
   if (!match) return null;
 
   const dateStr = match[1];
+
+  // Validate date components are in valid ranges (not just format)
+  const [year, month, day] = dateStr.split('-').map(Number);
+  if (month < 1 || month > 12 || day < 1 || day > 31) return null;
+
   // match[2] is undefined for old format (no ID)
   const shortId = match[2] || 'no-id';