fix: guard session store against array corruption

src/infra/state-migrations.fs.test.ts

@@ -0,0 +1,18 @@
+import fs from "node:fs/promises";
+import os from "node:os";
+import path from "node:path";
+import { describe, expect, it } from "vitest";
+
+import { readSessionStoreJson5 } from "./state-migrations.fs.js";
+
+describe("state migrations fs", () => {
+  it("treats array session stores as invalid", async () => {
+    const dir = await fs.mkdtemp(path.join(os.tmpdir(), "clawdbot-session-store-"));
+    const storePath = path.join(dir, "sessions.json");
+    await fs.writeFile(storePath, "[]", "utf-8");
+
+    const result = readSessionStoreJson5(storePath);
+    expect(result.ok).toBe(false);
+    expect(result.store).toEqual({});
+  });
+});

src/infra/state-migrations.fs.ts

@@ -48,7 +48,7 @@ export function readSessionStoreJson5(storePath: string): {
   try {
     const raw = fs.readFileSync(storePath, "utf-8");
     const parsed = JSON5.parse(raw);
-    if (parsed && typeof parsed === "object") {
+    if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
       return { store: parsed as Record<string, SessionEntryLike>, ok: true };
     }
   } catch {