fix: harden CI validators, shell scripts, and expand test suite

- Add try-catch around readFileSync in validate-agents, validate-commands,
  validate-skills to handle TOCTOU races and file read errors
- Add validate-hooks.js and all test suites to package.json test script
  (was only running 4/5 validators and 0/4 test files)
- Fix shell variable injection in observe.sh: use os.environ instead of
  interpolating $timestamp/$OBSERVATIONS_FILE into Python string literals
- Fix $? always being 0 in start-observer.sh: capture exit code before
  conditional since `if !` inverts the status
- Add OLD_VERSION validation in release.sh and use pipe delimiter in sed
  to avoid issues with slash-containing values
- Add jq dependency check in evaluate-session.sh before parsing config
- Sync .cursor/ copies of all modified shell scripts

scripts/release.sh

@@ -47,15 +47,19 @@ fi
 
 # Read current version
 OLD_VERSION=$(grep -oE '"version": *"[^"]*"' "$PLUGIN_JSON" | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
+if [[ -z "$OLD_VERSION" ]]; then
+  echo "Error: Could not extract current version from $PLUGIN_JSON"
+  exit 1
+fi
 echo "Bumping version: $OLD_VERSION -> $VERSION"
 
-# Update version in plugin.json (cross-platform sed)
+# Update version in plugin.json (cross-platform sed, pipe-delimiter avoids issues with slashes)
 if [[ "$OSTYPE" == "darwin"* ]]; then
   # macOS
-  sed -i '' "s/\"version\": *\"[^\"]*\"/\"version\": \"$VERSION\"/" "$PLUGIN_JSON"
+  sed -i '' "s|\"version\": *\"[^\"]*\"|\"version\": \"$VERSION\"|" "$PLUGIN_JSON"
 else
   # Linux
-  sed -i "s/\"version\": *\"[^\"]*\"/\"version\": \"$VERSION\"/" "$PLUGIN_JSON"
+  sed -i "s|\"version\": *\"[^\"]*\"|\"version\": \"$VERSION\"|" "$PLUGIN_JSON"
 fi
 
 # Stage, commit, tag, and push