fix(git-hooks,usage-log): fix two CI failures

pre-commit: guard the resolve-node.sh source with a file-existence
check so the hook works in test environments that stub only the files
they care about (the integration test creates run-node-tool.sh but not
resolve-node.sh; node is provided via a fake binary in PATH so the
nvm fallback is never needed in that context).

usage-log: replace Math.random() in makeId() with crypto.randomBytes()
to satisfy the temp-path-guard security lint rule that rejects weak
randomness in source files.

git-hooks/pre-commit

@@ -7,8 +7,12 @@ ROOT_DIR="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
 # Resolve node when not in PATH (e.g. nvm environments where the shell
 # profile hasn't been sourced by the git hook). Picks the newest installed
 # nvm version using version-aware sort so that v22 is preferred over v18.
-# shellcheck source=scripts/pre-commit/resolve-node.sh
-source "$ROOT_DIR/scripts/pre-commit/resolve-node.sh"
+_resolve_node_sh="$ROOT_DIR/scripts/pre-commit/resolve-node.sh"
+if [[ -f "$_resolve_node_sh" ]]; then
+  # shellcheck source=scripts/pre-commit/resolve-node.sh
+  source "$_resolve_node_sh"
+fi
+unset _resolve_node_sh
 RUN_NODE_TOOL="$ROOT_DIR/scripts/pre-commit/run-node-tool.sh"
 FILTER_FILES="$ROOT_DIR/scripts/pre-commit/filter-staged-files.mjs"
 

src/agents/usage-log.ts

@@ -1,3 +1,4 @@
+import { randomBytes } from "crypto";
 import fs from "fs/promises";
 import path from "path";
 
@@ -19,7 +20,7 @@ export type TokenUsageRecord = {
 };
 
 function makeId() {
-  return `usage_${Date.now().toString(36)}_${Math.random().toString(36).slice(2, 8)}`;
+  return `usage_${Date.now().toString(36)}_${randomBytes(4).toString("hex")}`;
 }
 
 async function readJsonArray(file: string): Promise<TokenUsageRecord[]> {