fix: address cubic-dev-ai + coderabbit round 3 review

cubic-dev-ai P2: dev_mode now defaults to "false" (strict mode).
Users opt in to dev mode by setting INSAITS_DEV_MODE=true.

cubic-dev-ai P2: Move null-status check above stdout/stderr writes
in wrapper so partial/corrupt output is never leaked. Pass through
original raw input on signal kill, matching the result.error path.

coderabbit major: Wrap insAItsMonitor() and send_message() in
try/except so SDK errors don't crash the hook. Logs warning and
exits 0 (fail-open) on exception.

coderabbit nitpick: write_audit now creates a new dict (enriched)
instead of mutating the caller's event dict.

coderabbit nitpick: Extract magic numbers to named constants:
MIN_CONTENT_LENGTH=10, MAX_SCAN_LENGTH=4000, DEFAULT_MODEL.

Also: added env var documentation to module docstring.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

scripts/hooks/insaits-security-wrapper.js

@@ -62,16 +62,18 @@ process.stdin.on('end', () => {
     process.exit(0);
   }
 
-  if (result.stdout) process.stdout.write(result.stdout);
-  if (result.stderr) process.stderr.write(result.stderr);
-
   // result.status is null when the process was killed by a signal or
-  // timed out.  Treat that as an error rather than silently passing.
+  // timed out.  Check BEFORE writing stdout to avoid leaking partial
+  // or corrupt monitor output.  Pass through original raw input instead.
   if (!Number.isInteger(result.status)) {
     const signal = result.signal || 'unknown';
     process.stderr.write(`[InsAIts] Security monitor killed (signal: ${signal}). Tool execution continues.\n`);
+    process.stdout.write(raw);
     process.exit(0);
   }
 
+  if (result.stdout) process.stdout.write(result.stdout);
+  if (result.stderr) process.stderr.write(result.stderr);
+
   process.exit(result.status);
 });