fix(integrity): adapt verify_hook + rtk verify for native rtk hook claude

- verify_hook() now checks ~/.claude/settings.json for "rtk hook claude"
  instead of looking for the rtk-rewrite.sh file + SHA-256 hash
- Verified = rtk hook claude present in PreToolUse hooks
- NoBaseline = legacy rtk-rewrite.sh detected (still works, needs migration)
- NotInstalled = neither hook registered
- run_verify() output updated to reflect settings.json check
- runtime_check() simplified (all settings.json states are non-blocking)
- show_claude_config() (rtk init --show) now reports hook presence from
  settings.json instead of the old file-based integrity check
- verify_hook_at() + read_stored_hash() gated #[cfg(test)] (legacy SHA-256
  logic only needed by existing hash-based tests)
- 7 new tests for verify_hook_in_settings() covering: native hook, legacy
  hook, missing file, empty object, no hooks key, no PreToolUse, unrelated cmd

Fixes: rtk verify reporting "SKIP RTK hook not installed" even when
rtk hook claude is registered; rtk init --show showing stale hook file status

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Florian BRUNIAUX <florian@bruniaux.com>

Author: FlorianBruniaux

src/init.rs

@@ -1788,54 +1788,24 @@ fn show_claude_config() -> Result<()> {
 
     println!("rtk Configuration:\n");
 
-    // Check hook
-    if hook_path.exists() {
-        #[cfg(unix)]
-        {
-            use std::os::unix::fs::PermissionsExt;
-            let metadata = fs::metadata(&hook_path)?;
-            let perms = metadata.permissions();
-            let is_executable = perms.mode() & 0o111 != 0;
-
-            let hook_content = fs::read_to_string(&hook_path)?;
-            let has_guards =
-                hook_content.contains("command -v rtk") && hook_content.contains("command -v jq");
-            let is_thin_delegator = hook_content.contains("rtk rewrite");
-            let hook_version = crate::hook_check::parse_hook_version(&hook_content);
-
-            if !is_executable {
-                println!(
-                    "[warn] Hook: {} (NOT executable - run: chmod +x)",
-                    hook_path.display()
-                );
-            } else if !is_thin_delegator {
-                println!(
-                    "[warn] Hook: {} (outdated — inline logic, not thin delegator)",
-                    hook_path.display()
-                );
-                println!(
-                    "   → Run `rtk init --global` to upgrade to the single source of truth hook"
-                );
-            } else if is_executable && has_guards {
-                println!(
-                    "[ok] Hook: {} (thin delegator, version {})",
-                    hook_path.display(),
-                    hook_version
-                );
-            } else {
-                println!(
-                    "[warn] Hook: {} (no guards - outdated)",
-                    hook_path.display()
-                );
-            }
+    // Check hook presence in settings.json
+    match integrity::verify_hook() {
+        Ok(integrity::IntegrityStatus::Verified) => {
+            println!("[ok] Hook: rtk hook claude registered in settings.json");
         }
-
-        #[cfg(not(unix))]
-        {
-            println!("[ok] Hook: {} (exists)", hook_path.display());
+        Ok(integrity::IntegrityStatus::NoBaseline) => {
+            println!("[warn] Hook: legacy rtk-rewrite.sh detected (run: rtk init -g to migrate)");
+        }
+        Ok(integrity::IntegrityStatus::NotInstalled) => {
+            println!("[--] Hook: not registered in settings.json (run: rtk init -g)");
+        }
+        Ok(integrity::IntegrityStatus::Tampered { .. })
+        | Ok(integrity::IntegrityStatus::OrphanedHash) => {
+            // Cannot occur from settings.json check
+        }
+        Err(_) => {
+            println!("[warn] Hook: settings.json check failed");
         }
-    } else {
-        println!("[--] Hook: not found");
     }
 
     // Check RTK.md
@@ -1845,26 +1815,6 @@ fn show_claude_config() -> Result<()> {
         println!("[--] RTK.md: not found");
     }
 
-    // Check hook integrity
-    match integrity::verify_hook_at(&hook_path) {
-        Ok(integrity::IntegrityStatus::Verified) => {
-            println!("[ok] Integrity: hook hash verified");
-        }
-        Ok(integrity::IntegrityStatus::Tampered { .. }) => {
-            println!("[FAIL] Integrity: hook modified outside rtk init (run: rtk verify)");
-        }
-        Ok(integrity::IntegrityStatus::NoBaseline) => {
-            println!("[warn] Integrity: no baseline hash (run: rtk init -g to establish)");
-        }
-        Ok(integrity::IntegrityStatus::NotInstalled)
-        | Ok(integrity::IntegrityStatus::OrphanedHash) => {
-            // Don't show integrity line if hook isn't installed
-        }
-        Err(_) => {
-            println!("[warn] Integrity: check failed");
-        }
-    }
-
     // Check global CLAUDE.md
     if global_claude_md.exists() {
         let content = fs::read_to_string(&global_claude_md)?;