#16531: fix(sessions): allow WhatsApp-style identifiers in session IDs (#16211)

## Summary Fixes #16211 — WhatsApp routing keys contain `:` and `+` (e.g. `agent:wa-relay:whatsapp:+15551234567`) which are rejected by `validateSessionId()`. ## Changes **`src/config/sessions/paths.ts`** - Expand `SAFE_SESSION_ID_RE` to accept `:` and `+` - Add `dotQuote()`/`dotUnquote()` for filesystem-safe transcript filenames (`.` → `.2E`, `+` → `.2B`, `:` → `.3A`) - Use dot-quoting in `resolveSessionTranscriptPathInDir()` **`src/config/sessions/paths.test.ts`** - WhatsApp-style ID validation tests - Dot-quoting roundtrip and encoding tests - Path traversal rejection tests ## Why dot-quoting Per reviewer feedback on the previous attempt: `%`-encoding creates shell/filesystem issues. Dot-quoting (`.XX` hex) is cleaner, avoids `%` escaping, and is fully reversible. --- ## Local Validation - `pnpm build` ✅ - `pnpm check` (oxlint) ✅ - Relevant test suites pass ✅ ## Contribution Checklist - [x] Focused scope — single fix per PR - [x] Clear "what" + "why" in description - [x] AI-assisted (Codex/Claude) — reviewed and tested by human - [x] Local validation run (`pnpm build && pnpm check`) *AI-assisted (Claude). Reviewed by human.* <!-- greptile_comment --> <h3>Greptile Summary</h3> This PR expands session ID validation to accept WhatsApp-style routing keys containing `:` and `+` (e.g., `agent:wa-relay:whatsapp:+15551234567`). Since these characters are unsafe in filenames, the PR introduces a dot-quoting scheme (`.` → `.2E`, `+` → `.2B`, `:` → `.3A`) applied to session IDs when generating transcript file paths. - The regex change in `SAFE_SESSION_ID_RE` is correct — the trailing `-` in the character class `[a-z0-9._:+-]` is treated as a literal hyphen by JavaScript's regex engine - The `dotQuote`/`dotUnquote` encoding scheme is sound and correctly roundtrips, even for edge cases like session IDs containing dot-quote-like sequences (e.g., `a.2E`) - Backward compatibility is maintained for existing sessions via the stored `sessionFile` field in the session store — only sessions without a stored `sessionFile` that have `.` in their ID would resolve to a different (dot-quoted) path - Tests cover WhatsApp-style ID acceptance, dot-quoting encoding/decoding, roundtrip correctness, and path traversal rejection <h3>Confidence Score: 4/5</h3> - This PR is safe to merge with minimal risk — the changes are well-scoped and the encoding scheme is sound. - The regex change correctly handles the trailing hyphen as a literal character. The dot-quoting scheme is well-designed, roundtrips correctly, and avoids filesystem-unsafe characters. Tests are comprehensive. The only minor concern is backward compatibility for sessions with `.` in the ID that don't have a stored `sessionFile`, which is a narrow edge case. No security issues — path traversal is still correctly rejected. - No files require special attention _{Last reviewed commit: 36c38fd} <!-- greptile_other_comments_section --> <!-- /greptile_comment -->