feat(07-05): implement keyhunter hook install/uninstall with embedded pre-commit script

- cmd/hook.go: install/uninstall subcommands with --force flag
- cmd/hook_script.sh: embedded via go:embed, runs keyhunter scan on staged files
- KEYHUNTER-HOOK v1 marker prevents accidental deletion of non-owned hooks
- Backup existing hooks on --force install
- cmd/hook_test.go: 10 tests covering fresh install, non-repo, force/backup, overwrite, uninstall lifecycle
- Remove hookCmd stub from cmd/stubs.go

cmd/hook_script.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+# KEYHUNTER-HOOK v1 — managed by `keyhunter hook install`
+# Remove via `keyhunter hook uninstall`.
+set -e
+
+files=$(git diff --cached --name-only --diff-filter=ACMR)
+if [ -z "$files" ]; then
+  exit 0
+fi
+
+# Run keyhunter against each staged file. Exit code 1 from keyhunter
+# means findings present; 2 means scan error. Either blocks the commit.
+echo "$files" | xargs -r keyhunter scan --exit-code
+status=$?
+if [ $status -ne 0 ]; then
+  echo "keyhunter: pre-commit blocked (exit $status). Run 'git commit --no-verify' to bypass." >&2
+  exit $status
+fi
+exit 0