fix: address cubic-dev-ai review — 3 issues

P1: Log non-ENOENT spawn errors (timeout, signal kill) to stderr
instead of silently exiting 0. Separate handling for result.error
and null result.status so users know when the security monitor
failed to run.

P1: Remove "async": true from hooks.json — async hooks run in the
background and cannot block tool execution. The security hook needs
to be synchronous so exit(2) actually prevents credential exposure
and other critical findings from proceeding.

P2: Remove dead tool_response/tool_result code from extract_content.
In a PreToolUse hook the tool hasn't executed yet, so tool_response
is never populated. Removed the variable and the unreachable branch
that appended its content.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

scripts/hooks/insaits-security-wrapper.js

@@ -54,9 +54,24 @@ process.stdin.on('end', () => {
     process.exit(0);
   }
 
+  // Log non-ENOENT spawn errors (timeout, signal kill, etc.) so users
+  // know the security monitor did not run — fail-open with a warning.
+  if (result.error) {
+    process.stderr.write(`[InsAIts] Security monitor failed to run: ${result.error.message}\n`);
+    process.stdout.write(raw);
+    process.exit(0);
+  }
+
   if (result.stdout) process.stdout.write(result.stdout);
   if (result.stderr) process.stderr.write(result.stderr);
 
-  const code = Number.isInteger(result.status) ? result.status : 0;
-  process.exit(code);
+  // result.status is null when the process was killed by a signal or
+  // timed out.  Treat that as an error rather than silently passing.
+  if (!Number.isInteger(result.status)) {
+    const signal = result.signal || 'unknown';
+    process.stderr.write(`[InsAIts] Security monitor killed (signal: ${signal}). Tool execution continues.\n`);
+    process.exit(0);
+  }
+
+  process.exit(result.status);
 });