fix: make plugin hooks run on Node 21+ and green the suite under modern Node (#2184)

ROOT CAUSE: hooks load plugin-hook-bootstrap.js via
`node -e "...; process.argv.splice(1,0,s); require(s)"`. On Node 21+,
require.main is `undefined` under --eval, so the `if (require.main === module)`
guard was false and main() never ran — every plugin hook silently no-op'd
(e.g. the MCP-health PreToolUse hook stopped blocking). CI (Node 18/20) hid
this; it only surfaces on Node 21+. Fix: also run main() when require.main is
undefined (the eval-bootstrap case), while staying dormant on real imports.

Also clears pre-existing main debt the full local suite enforces:
- catalog:sync — README/docs agent+skill counts drifted after recent merges
- tests/ci/supply-chain-watch-workflow: update checkout SHA to the merged v6.0.3 (#2183)
- markdownlint + check-unicode-safety --write across docs/skills

Suite: 2683/2683 green under Node v25; lint + unicode clean.

Co-authored-by: ECC Test <ecc@example.test>

agents/php-reviewer.md

@@ -96,7 +96,7 @@ Fix: What to change
 ## Framework Checks
 
 - **Laravel**: N+1 via `with()`/`load()`, `$fillable`/`$casts`, FormRequest validation, route model binding, `Gate`/`Policy` authorization, Sanctum token abilities, queue idempotency
-- **Livewire**: Proper `#[Rule]` attributes, authorization in ` authorize()`, wire:model security
+- **Livewire**: Proper `#[Rule]` attributes, authorization in `authorize()`, wire:model security
 - **Filament**: Form/table authorization, `canAccess()`, policy registration
 - **Plain PHP**: PDO prepared statements, password_hash/password_verify, header-based CSRF