docs(githooks): add installation README for symlink usage

- Add githooks/README.md with step-by-step symlink instructions
- Explain git config core.hooksPath setup and usage
- Document bypass and what the hook checks
- Completes acceptance criterion #4 for #338

Closes #338

hermes-sovereign/githooks/README.md

@@ -0,0 +1,49 @@
+# Git Hooks
+
+Pre-commit hooks extracted from the `hermes-agent` fork. These hooks run automated checks before each commit.
+
+## Installation
+
+To use these hooks in any repository, set the `core.hooksPath` to this directory:
+
+```bash
+git config core.hooksPath /path/to/timmy-config/hermes-sovereign/githooks
+```
+
+The path should be absolute or relative to the repository root. For example, if `timmy-config` is cloned alongside your project:
+
+```bash
+# From your project root
+git config core.hooksPath ../timmy-config/hermes-sovereign/githooks
+```
+
+Once configured, Git will execute the hooks from this directory whenever you run `git commit` in that repository.
+
+## Hooks
+
+| Hook | Description |
+|------|-------------|
+| `pre-commit` | Wrapper that invokes `pre-commit.py` for secret leak detection |
+| `pre-commit.py` | Scans staged diffs and file contents for secrets, tokens, private keys, and credential patterns |
+
+## Bypass
+
+To skip hooks for a single commit (use sparingly):
+
+```bash
+git commit --no-verify -m "Your message"
+```
+
+## What the Hook Checks
+
+The pre-commit hook scans staged changes for:
+- API tokens and service keys
+- Private keys and certificates  
+- Hardcoded credentials and passwords
+- Known secret file paths and patterns
+
+If a potential secret is detected, the commit is blocked and a Finding is printed to stderr.
+
+## Updating
+
+Commit changes to this directory directly in `timmy-config`. Any repository using these hooks will automatically pick up updates the next time they pull changes to this directory (the hooks themselves are read fresh on each commit).