fix: address CodeRabbit review — convert to PreToolUse, add type annotations, logging

Critical fixes:
- Convert hook from PostToolUse to PreToolUse so exit(2) blocking works
- Change all python references to python3 for cross-platform compat
- Add insaits-security-wrapper.js to bridge run-with-flags.js to Python

Standard fixes:
- Wrap hook with run-with-flags.js so users can disable via
  ECC_DISABLED_HOOKS="pre:insaits-security"
- Add "async": true to hooks.json entry
- Add type annotations to all function signatures (Dict, List, Tuple, Any)
- Replace all print() statements with logging module (stderr)
- Fix silent OSError swallow in write_audit — now logs warning
- Remove os.environ.setdefault('INSAITS_DEV_MODE') — pass dev_mode=True
  through monitor constructor instead
- Update hooks/README.md: moved to PreToolUse table, "detects" not
  "catches", clarify blocking vs non-blocking behavior

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

scripts/hooks/insaits-security-wrapper.js

@@ -0,0 +1,62 @@
+#!/usr/bin/env node
+/**
+ * InsAIts Security Monitor — wrapper for run-with-flags compatibility.
+ *
+ * This thin wrapper receives stdin from the hooks infrastructure and
+ * delegates to the Python-based insaits-security-monitor.py script.
+ *
+ * The wrapper exists because run-with-flags.js spawns child scripts
+ * via `node`, so a JS entry point is needed to bridge to Python.
+ */
+
+'use strict';
+
+const path = require('path');
+const { spawnSync } = require('child_process');
+
+const MAX_STDIN = 1024 * 1024;
+
+let raw = '';
+process.stdin.setEncoding('utf8');
+process.stdin.on('data', chunk => {
+  if (raw.length < MAX_STDIN) {
+    raw += chunk.substring(0, MAX_STDIN - raw.length);
+  }
+});
+
+process.stdin.on('end', () => {
+  const scriptDir = __dirname;
+  const pyScript = path.join(scriptDir, 'insaits-security-monitor.py');
+
+  // Try python3 first (macOS/Linux), fall back to python (Windows)
+  const pythonCandidates = ['python3', 'python'];
+  let result;
+
+  for (const pythonBin of pythonCandidates) {
+    result = spawnSync(pythonBin, [pyScript], {
+      input: raw,
+      encoding: 'utf8',
+      env: process.env,
+      cwd: process.cwd(),
+      timeout: 14000,
+    });
+
+    // ENOENT means binary not found — try next candidate
+    if (result.error && result.error.code === 'ENOENT') {
+      continue;
+    }
+    break;
+  }
+
+  if (!result || (result.error && result.error.code === 'ENOENT')) {
+    process.stderr.write('[InsAIts] python3/python not found. Install Python 3.9+ and: pip install insa-its\n');
+    process.stdout.write(raw);
+    process.exit(0);
+  }
+
+  if (result.stdout) process.stdout.write(result.stdout);
+  if (result.stderr) process.stderr.write(result.stderr);
+
+  const code = Number.isInteger(result.status) ? result.status : 0;
+  process.exit(code);
+});