feat(safety): PreToolUse hook gating destructive tool calls (FNDG-04b, Option A)

Adds internal/safety/ — the in-repo source of truth for the PreToolUse hook
deployed into every project before a Claude Code agent is launched. The hook
blocks destructive Bash/Edit/Write patterns on sessions running with
--dangerously-skip-permissions, closing the exploitation path where a prompt
injection via MCP sessions.send could otherwise trigger arbitrary destruction
without interactive confirmation.

Wire-up:
- internal/dispatcher/dispatcher.go launchAgent: deploys hook before claude
  launch; fail-closed if deployment fails.
- internal/switcher/account_switcher.go relaunchDedicatedSessions: redeploys
  hook before --resume after account failover; fail-open (log + continue)
  since the initial deployment is still in place.

Blocks (exit 2, stderr shown to model):
- rm -rf targeting /, ~, $HOME, /etc, /var, /usr, /boot
- dd of=/dev/{sd,nvme,disk,hd,mmcblk}*, mkfs*
- git push --force (but allows --force-with-lease)
- git reset --hard on main|master|production
- sudo outside short allowlist (systemctl, journalctl, cp, install, apt*)
- curl|sh, bash <(curl ...), eval "$(curl ...)", fork bomb, crontab -e
- chmod 777 on system paths / home
- Writes to .claude/settings*.json, .claude/hooks/, ~/.ssh/authorized_keys,
  shell rc files, /etc/sudoers*, /etc/systemd/*

Warn-only (logged, not blocked):
- kubectl delete, helm uninstall, terraform destroy
- DROP TABLE, TRUNCATE TABLE, DELETE FROM ... WHERE 1=1

Hook script is embedded via //go:embed so a single binary release carries
the authoritative copy. Every launch rewrites the deployed file with mode
0555 (anti-tamper); the hook itself also blocks writes to .claude/hooks/
for defense in depth.

Decision: Olivier, 2026-04-19 — Option A now, Option C (two pools) tracked
separately. Complements FNDG-04 input sanitization in secuaas-mcp.

Tests: 8 unit/integration tests in internal/safety/, plus a dispatcher-level
test verifying the hook is written before launch. go vet clean, go test ./...
all pass.

Refs: FNDG-04 audit (secuaas-mcp branch audit/mcp-stdio-2026-04-18)
Task:  .agent-queue/inbox/20260418-211102-fndg-04b-*.md

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/switcher/account_switcher.go

@@ -18,6 +18,7 @@ import (
 	"forge.secuaas.ovh/olivier/claude-failover/internal/config"
 	"forge.secuaas.ovh/olivier/claude-failover/internal/notify"
 	"forge.secuaas.ovh/olivier/claude-failover/internal/quota"
+	"forge.secuaas.ovh/olivier/claude-failover/internal/safety"
 	"forge.secuaas.ovh/olivier/claude-failover/internal/state"
 	"forge.secuaas.ovh/olivier/claude-failover/internal/symlinks"
 	"forge.secuaas.ovh/olivier/claude-failover/internal/tmux"
@@ -298,6 +299,16 @@ func (a *AccountSwitcher) relaunchDedicatedSessions(targetHome string) {
 			a.logger.Printf("[switcher] invalid UUID for %q: %q", ds.Name, uuid)
 			continue
 		}
+		// FNDG-04b: redeploy the PreToolUse safety hook into the dedicated
+		// session's project before --resume. Failure is logged, not fatal:
+		// we'd rather relaunch the session without a refreshed hook than
+		// leave the user stuck after a quota failover. The existing hook
+		// (deployed at initial launch) remains in place.
+		if ds.Project != "" {
+			if err := safety.EnsureHookDeployed(ds.Project); err != nil {
+				a.logger.Printf("[switcher] safety hook redeploy %q: %v (continuing)", ds.Name, err)
+			}
+		}
 		// targetHome is operator-controlled (config file); uuid is regex-validated.
 		// Neither is user-supplied runtime input, so shell interpolation is safe.
 		cmd := fmt.Sprintf("CLAUDE_CONFIG_DIR=%s claude --dangerously-skip-permissions --resume %s",