fix: address codex review comments on #36630

- Reject non-decimal quote IDs in normalizeSignalQuoteId: validate string
  contains only decimal digits before Number() conversion, preventing hex
  (0x10) and scientific notation (1e3) from normalizing to wrong IDs

Other review findings were already addressed in prior commits:
- Group quote author guard: resolveSignalQuoteMetadata returns {} when
  isGroup && !quoteAuthor (reply-quote.ts:35-37)
- UUID normalization: normalizeCachedMessageAuthor adds uuid: prefix for
  bare UUIDs (event-handler.ts:132)
- Explicit reply targets: preserved via explicitPayloadReplyTo check in
  deliver.ts (not cleared by replyConsumed)
- Reply consumption: trackReplyConsumption only marks consumed after
  actual successful send with applicable reply metadata
- replyToId:null suppression: explicit null correctly flows through
  deliver.ts nullish checks without falling back to inherited reply

extensions/signal/src/monitor/quote-context.ts

@@ -64,6 +64,11 @@ export function normalizeSignalQuoteId(rawId?: SignalQuote["id"]) {
   if (!trimmed) {
     return undefined;
   }
+  // Only accept decimal digit strings — reject hex (0x10), scientific (1e3),
+  // and other Number()-parseable formats that would normalize to a different ID.
+  if (!/^\d+$/.test(trimmed)) {
+    return undefined;
+  }
   const numeric = Number(trimmed);
   return Number.isInteger(numeric) && numeric > 0 ? String(numeric) : undefined;
 }