feat: enforce feature branch workflow with PreToolUse hook

Add a guard script that blocks git commit/push on protected branches
(develop, main, master) via a PreToolUse hook. Update CLAUDE.md with
stricter branching rules: one commit per task, immediate commits on
feature branches, no direct commits to protected branches.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.claude/guard-branch.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# PreToolUse hook for Bash tool: blocks git commit/push on protected branches.
+# TOOL_INPUT is JSON with a "command" field containing the bash command.
+
+PROTECTED_BRANCHES=("develop" "main" "master")
+
+COMMAND="${TOOL_INPUT:-}"
+
+# Only check commands that look like git commit or git push
+if ! echo "$COMMAND" | grep -qE '\bgit\b.*(commit|push)'; then
+  exit 0
+fi
+
+BRANCH="$(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "")"
+
+for protected in "${PROTECTED_BRANCHES[@]}"; do
+  if [[ "$BRANCH" == "$protected" ]]; then
+    echo "BLOCKED: Cannot commit or push on protected branch '$BRANCH'."
+    echo "Create a feature branch first: git checkout -b feature/<name>"
+    exit 2
+  fi
+done
+
+exit 0

.claude/settings.json

@@ -6,13 +6,14 @@
     "PreCompact": [
       { "hooks": [{ "type": "command", "command": "beans prime" }] }
     ],
-    "PreToolCall": [
+    "PreToolUse": [
       {
         "matcher": "Bash",
         "hooks": [
           {
             "type": "command",
-            "command": "bash -c 'if echo \"$TOOL_INPUT\" | grep -q \"git commit\"; then BRANCH=$(git branch --show-current); if [ \"$BRANCH\" = \"develop\" ] || [ \"$BRANCH\" = \"main\" ]; then echo \"BLOCK: Cannot commit directly to $BRANCH. Create a feature branch first: git checkout -b feature/<name>\"; exit 2; fi; fi'"
+            "command": ".claude/guard-branch.sh",
+            "statusMessage": "Checking branch protection..."
           }
         ]
       }