fix(l3-gate): count mutations not creations — unblock initial bootstrap commit (BRO-1435)

[broomva]

BRO-1435 — L3 rate gate blocked the initial bstack bootstrap commit

Found via P11 dogfooding of the v0.27.0 autonomous-loop demo. bstack bootstrap activates the L3 rate gate, then the user's first git commit of the freshly-created governance is blocked — the gate counted the 5 newly-created L3 files as 5 mutations (5/1 EXCEEDED). Creation is not mutation: there's no prior governance state to destabilize.

Fix (scripts/l3-rate-gate.sh)

• Staged count: a staged L3 path counts only if it exists at HEAD (git cat-file -e HEAD:<path>). New files (and the first-ever commit, no HEAD) are exempt.
• Committed count: git log --diff-filter=M so additions don't consume the per-window budget — only modifications do. Switched wc -l on a format:%H stream → grep -c ., fixing a latent off-by-one (one committed L3 mutation previously counted as 0).
• The pre-commit template calls the script (no duplicated logic), so this fixes both bstack bootstrap Day-1 UX and every deployed .githooks/pre-commit.

Gate purpose preserved

Governance modifications are still rate-limited to 1 per τ_a₃ window. Only creation is exempt.

Test plan

• New tests/l3-rate-gate.test.sh — 4 hermetic cases: A create 5 L3 files → exempt (exit 0) · B 1 modification → within budget (exit 0) · C 2nd modification same window → blocked (exit 1) · D non-governance → ignored (exit 0). 4/4 pass.
• Regression: template_lockstep 15/15 (count 20), schema-validation, repair-merge-hooks, onboard, gitignore-aware-bootstrap, omega-drift-trend — all green. bash -n + shellcheck clean.

P20 cross-review

Independent reviewer: PASS 9/10, no blockers. Verified the fix does not weaken the gate (proved 3 additional ways 2+ modifications still block), that git cat-file -e HEAD: correctly handles delete-then-readd / first-commit / spaced paths, no false negatives in the committed count, and --json/--warn-only/--window/hook-contract intact. Minor (accepted): a convoluted delete-then-recreate evasion — acceptable for a stability guardrail, not a security control.

Primitive count unchanged (20). VERSION 0.27.0 → 0.27.1. Related: BRO-1431.

🤖 Generated with Claude Code

[linear]

BRO-1435

[coderabbitai]

Warning

Review limit reached

@broomva, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 16 minutes and 5 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: a2366d50-77bd-41ae-87b9-ba53e12ba9ce

📥 Commits

Reviewing files that changed from the base of the PR and between fff6671 and 5cb0c15.

📒 Files selected for processing (4)

• CHANGELOG.md
• VERSION
• scripts/l3-rate-gate.sh
• tests/l3-rate-gate.test.sh

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/bro-1435-l3-gate-creation-exempt

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}