Add Claude Code hooks and new-credential skill

Hooks:
- PreToolUse: block direct edits to credential files (99-claude, etc.)
- PostToolUse: auto-run shellcheck after editing bash.d scripts

Skill:
- /new-credential: scaffolds a credential file pair (.example template +
  real file), adds to .gitignore, sets permissions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.claude/hooks/block-credential-edit.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# PreToolUse hook: block direct edits to credential files.
+# Only .example templates should be modified — real secrets stay untouched.
+
+set -euo pipefail
+
+input=$(cat)
+file_path=$(echo "$input" | jq -r '.tool_input.file_path // empty')
+
+# No file path in input (e.g. Bash tool) — allow
+[[ -z "$file_path" ]] && exit 0
+
+basename=$(basename "$file_path")
+
+# Block known credential files (but allow .example templates)
+case "$basename" in
+    99-claude|99-gemini|99-google|99-huggingface|99-replicate)
+        echo "Blocked: do not edit credential files directly — edit the .example template instead" >&2
+        exit 2
+        ;;
+esac
+
+exit 0

.claude/hooks/shellcheck-on-edit.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+# PostToolUse hook: run shellcheck after editing a bash.d script.
+# Skips non-script files (markdown, .gitignore, etc).
+
+set -euo pipefail
+
+input=$(cat)
+file_path=$(echo "$input" | jq -r '.tool_input.file_path // empty')
+
+# No file path — nothing to check
+[[ -z "$file_path" ]] && exit 0
+
+basename=$(basename "$file_path")
+
+# Only check files that match the numbered script naming convention
+# or .example templates (which are also valid shell scripts)
+case "$basename" in
+    [0-9][0-9]-*|[0-9][0-9]-*.example) ;;
+    *) exit 0 ;;
+esac
+
+# File must still exist (Write could have been to a new path)
+[[ -f "$file_path" ]] || exit 0
+
+# Run shellcheck — exit 2 feeds stderr back to Claude
+if ! shellcheck "$file_path" 2>&1; then
+    echo "shellcheck failed on $basename — please fix the issues above" >&2
+    exit 2
+fi
+
+exit 0