fix: remove unnecessary companion allowlist and add jq availability check

The regex `codex\s` already won't match `codex-companion` (hyphen, not
space), so the substring allowlist was redundant and could be bypassed
with chained commands. Removed it. Also added a jq availability check
that passes through gracefully if jq is missing — no hard dependency
introduced but the guard works when jq is present (which we expect).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: peterdrier

plugins/codex/hooks/block-direct-codex-cli.sh

@@ -1,14 +1,15 @@
 #!/bin/bash
 # PreToolUse hook: block direct "codex" CLI invocations and redirect to the plugin.
+
+# jq is expected but not a hard dependency — pass through if unavailable.
+command -v jq &>/dev/null || exit 0
+
 INPUT=$(cat)
 COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // empty')
 
 # Match bare "codex" at the start of the command or after a pipe/semicolon/&&
+# "codex-companion" won't match because \s requires whitespace after "codex".
 if echo "$COMMAND" | grep -qE '(^|[;&|]\s*)codex\s'; then
-  # Allow calls that go through the plugin's own companion script
-  if echo "$COMMAND" | grep -q 'codex-companion\.mjs'; then
-    exit 0
-  fi
   echo "Do not call the codex CLI directly. Use the codex plugin instead: /codex:rescue for tasks, /codex:review for reviews, /codex:status for status, /codex:result for results." >&2
   exit 2
 fi