state.sh used SESSION_FILE for session.json (global tracking data).
Both hook handlers override SESSION_FILE to sessions/<pgrp>.json for
per-session isolation. buddymon_session_reset() at session-stop end
was writing _version:1 data INTO sessions/<pgrp>.json, leaving stale
wrong-format session files that broke buddy lookup.
Fix: rename state.sh variable to SESSION_DATA_FILE — no more collision.
Also:
- Add matcher:'*' to SessionStart and Stop hooks (CC 2.x compatibility)
- Add dead-session GC to session-start.sh (cleans up orphaned PGRP files)
- Add 5 new privacy/security bug_monsters:
LeakWraith (uncommon) — exposed credentials
CipherNull (uncommon) — weak/broken crypto (MD5, ECB, rand() for secrets)
ConsentShadow (rare) — tracking/analytics without consent (CF flagship villain)
ThrottleDemon (common) — ignored 429s and missing backoff
PrivacyLich (legendary) — GDPR/CCPA/breach debt; unkillable, only containable
0c2d245632