fix: address Copilot review - tighten pre-commit filter, document TTL sync

- pre-commit-safety.sh: only exclude `mod tests` hunks (not `fn test_*`)
  to avoid hiding unwrap/assert in production functions like test_server()
- session.rs: extract AUTH_MODE_TTL_SECS constant and add doc comment
  linking to OAUTH_FLOW_EXPIRY to prevent silent drift

[skip-regression-check]

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ilblackdragon

scripts/pre-commit-safety.sh

@@ -136,10 +136,12 @@ fi
 PROD_DIFF="$DIFF_OUTPUT"
 # Strip hunks from test-only files (tests/ directory, *_test.rs, test_*.rs)
 PROD_DIFF=$(echo "$PROD_DIFF" | grep -v '^+++ b/tests/' || true)
-# Strip hunks whose @@ context line indicates a test function or module
-# (git diff -U0 includes the enclosing function name after @@).
+# Strip hunks whose @@ context line indicates a test module.
+# git diff includes the enclosing function/module name after @@.
+# Only match `mod tests` (the conventional #[cfg(test)] module) — do NOT
+# match `fn test_*` because production code can have functions named test_*.
 PROD_DIFF=$(echo "$PROD_DIFF" | awk '
-    /^@@ / { in_test = ($0 ~ /fn test_/ || $0 ~ /mod tests/) }
+    /^@@ / { in_test = ($0 ~ /mod tests/) }
     !in_test { print }
 ' || true)
 if echo "$PROD_DIFF" | grep -nE '^\+' \

src/agent/session.rs

@@ -135,8 +135,11 @@ pub enum ThreadState {
 
 /// Pending auth token request.
 ///
-/// Auth mode TTL — matches `OAUTH_FLOW_EXPIRY` (5 minutes).
-const AUTH_MODE_TTL: TimeDelta = TimeDelta::minutes(5);
+/// Auth mode TTL — must stay in sync with
+/// `crate::cli::oauth_defaults::OAUTH_FLOW_EXPIRY` (5 minutes / 300 s).
+/// Defined separately to avoid a session→cli module dependency.
+const AUTH_MODE_TTL_SECS: i64 = 300;
+const AUTH_MODE_TTL: TimeDelta = TimeDelta::seconds(AUTH_MODE_TTL_SECS);
 
 /// When `tool_auth` returns `awaiting_token`, the thread enters auth mode.
 /// The next user message is intercepted before entering the normal pipeline