Add one-command security tools setup and pre-push scanning

[John-David Dalton (jdalton)]

Summary

• Adds /setup-security-tools command to set up AgentShield, zizmor, and Socket Firewall in one step
• Downloads binaries with SHA-256 verification, creates PATH shims (bash + Windows .cmd)
• Adds blocking AgentShield and zizmor scans to pre-push hook
• Updates security-scan SKILL.md with hook cross-reference

Files

• .claude/hooks/setup-security-tools/ - Self-contained setup script with pinned deps
• .claude/commands/setup-security-tools.md - Claude Code slash command
• .git-hooks/pre-push - Updated with AgentShield + zizmor pre-checks
• .claude/skills/security-scan/SKILL.md - Added hook cross-reference
• .gitignore - Updated to track .claude/hooks/ and .claude/settings.json

Test plan

• Run /setup-security-tools in Claude Code and verify all three tools install
• Verify git push triggers AgentShield and zizmor checks
• Verify SFW shims are created at ~/.socket/sfw/shims/
• Verify re-running is idempotent (skips cached binaries)