fix: make plugin hooks run on Node 21+ and green the suite under modern Node (#2184)

ROOT CAUSE: hooks load plugin-hook-bootstrap.js via
`node -e "...; process.argv.splice(1,0,s); require(s)"`. On Node 21+,
require.main is `undefined` under --eval, so the `if (require.main === module)`
guard was false and main() never ran — every plugin hook silently no-op'd
(e.g. the MCP-health PreToolUse hook stopped blocking). CI (Node 18/20) hid
this; it only surfaces on Node 21+. Fix: also run main() when require.main is
undefined (the eval-bootstrap case), while staying dormant on real imports.

Also clears pre-existing main debt the full local suite enforces:
- catalog:sync — README/docs agent+skill counts drifted after recent merges
- tests/ci/supply-chain-watch-workflow: update checkout SHA to the merged v6.0.3 (#2183)
- markdownlint + check-unicode-safety --write across docs/skills

Suite: 2683/2683 green under Node v25; lint + unicode clean.

Co-authored-by: ECC Test <ecc@example.test>

skills/fastapi-patterns/SKILL.md

@@ -510,4 +510,4 @@ async def list_items(db: AsyncSession = Depends(get_db)):
 - Wrap database mutation boundaries gracefully within transactions inside your service layer, catching structural database errors directly.
 - Parse JWT parameters defensively, expecting potential string/integer cast mismatches from modern payload variations.
 - Enforce deterministic sorting (e.g., `.order_by(Model.id)`) on all offset/limit paginated endpoints to avoid data skips.
-- Isolate authorization checks from core authentication dependencies to provide precise REST status signals (`401` vs `403`).
+- Isolate authorization checks from core authentication dependencies to provide precise REST status signals (`401` vs `403`).