v0.2.1 hotfix: fix #7 _template_path leak + pre-commit hooks

[willwebster5]

Summary

• Fixes **dashboard apply fails: "_template_path" leaks into Humio payload (+ design Q: metadata namespace)** #7: _template_path (and any _-prefixed tool-internal key) no longer leaks into the Humio dashboard YAML payload. DashboardProvider._prepare_yaml_payload and _normalize_for_hash now route through a new shared core/template_sanitizer helper that strips the universally-IaC reserved set {resource_id, type, dependencies, metadata} plus any _-prefixed key. Dashboard-specific transforms (tags → labels rename, description strip) are preserved unchanged.
• Adds .pre-commit-config.yaml with ruff hooks (ruff-format, ruff) mirroring the CI lint gate, plus pre-commit>=3.7 in dev deps. Also documents the install step in CLAUDE.md under a new Installing pre-commit hooks section.
• Fixes ruff-format drift on detection_provider.py / test_detection_provider.py that caused the PR Add metadata: block validator and ADS path-ref extension #6 merge commit's lint CI job to go red.
• Adds CHANGELOG.md with a v0.2.1 — 2026-04-16 entry covering the above. Notes that the malformed v.0.2.0 tag is orphaned on the remote (a GitHub repo rule blocks tag deletion, but hatchling cannot parse it, so no release will ever be cut from it).

Test plan

• pytest tests/ → 456 passed (17 new in test_template_sanitizer.py, 6 new in test_dashboard_provider.py::TestIssue7Regression)
• ruff format --check src/ tests/ --exclude src/talonctl/_version.py → clean
• ruff check src/ tests/ --exclude src/talonctl/_version.py → clean
• pre-commit run --all-files → clean (both hooks Passed)
• Issue **dashboard apply fails: "_template_path" leaks into Humio payload (+ design Q: metadata namespace)** #7 direct regression: pytest tests/unit/test_template_sanitizer.py::TestIssue7Regression tests/test_dashboard_provider.py::TestIssue7Regression -v → 7 passed
• Hash-behavior preservation verified: all 58 pre-existing dashboard tests still pass after the refactor (the new code pops description and tags explicitly to keep hash input identical to pre-helper behavior; metadata is newly excluded from the hash, which is the intentional design direction — editing metadata will no longer replan)
• CI lint + test + smoke jobs green on this PR

Out of scope for v0.2.1 (handled by v0.3.0 namespace redesign)

• Routing the other 6 providers (saved_search, detection, workflow, lookup_file, rtr_script, rtr_put_file) through the new helper
• Adding metadata.maturity validation universally
• Relocating metadata.ads on detections from top-level to metadata.ads
• Rejecting the old top-level ads: / flat metadata: shapes
• Example template migration and the breaking-change CHANGELOG entry

Closes #7.

🤖 Generated with Claude Code