fix(hooks): Read stdin JSON in dangerous-cmd/pre-commit-lint/enforce-uv
These three PreToolUse hooks read only $1, so under the modern hook
contract (tool call delivered as JSON on stdin) they received an empty
INPUT and silently no-op'd — including the destructive-command block.
Copy the exact stdin-JSON pattern already used by every other
Bash-matcher hook (pre-install-scan.sh, worktree-guard.sh): when $1 is
empty and stdin is not a TTY, read stdin and extract
.tool_input.command via jq, keeping $1 as the legacy fallback. Matching
logic and exit-code semantics (deny=2 vs allow=0) are unchanged.
Verified by piping sample PreToolUse payloads into each script (fires
on "git push --force", "git commit", "pip install"; exits 0 on safe
commands and empty input) and confirming the legacy $1 path still
works. tests/validate.sh: 111 passed, 0 failed.
NOTE: ~/.claude is a copy of this repo — re-run scripts/install.ps1
after landing or the stale global hooks keep no-op'ing.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>