Fire BeforeTool hook before confirmation dialog

[afarber]

Summary

Moves BeforeTool hook execution to run before the user confirmation dialog, so hooks can block or auto-approve tools without wasting the user's time on a confirmation they'll never use.

Details

Previously, BeforeTool hooks ran after the user approved a tool, meaning a hook could block a tool the user had already approved. This was poor UX.

Changes:

• Fire fireBeforeToolHook() in _processNextInQueue() before shouldConfirmExecute()
• If hook returns block/deny: block immediately, skip confirmation dialog
• If hook returns approve/allow: auto-approve, skip confirmation dialog
• If hook returns ask/undefined: show confirmation dialog (normal flow)
• Added isApprovingDecision() method to DefaultHookOutput and BeforeToolHookOutput
• Added beforeHookAlreadyFired parameter to executeToolWithHooks() to prevent duplicate hook calls

Related Issues

Fixes #15167

How to Validate

Pre-Merge Checklist

1. Run tests: npm run test --workspace @google/gemini-cli-core -- src/core/coreToolScheduler.test.ts -t "BeforeTool"
2. Run hook type tests: npm run test --workspace @google/gemini-cli-core -- src/hooks/types.test.ts
3. Configure a BeforeTool hook that returns { "decision": "block" } and verify the tool is blocked without showing a confirmation dialog

• [ ] Updated relevant documentation and README (if needed)
• [x] Added/updated tests (if needed)
• [ ] Noted breaking changes (if any)
• [x] Validated on required platforms/methods:
  • [ ] MacOS
    • [ ] npm run
    • [ ] npx
    • [ ] Docker
    • [ ] Podman
    • [ ] Seatbelt
  • [ ] Windows
    • [ ] npm run
    • [ ] npx
    • [ ] Docker
  • [x] Linux
    • [x] npm run
    • [ ] npx
    • [ ] Docker