Validate Claude Code Plugin failing 74/100 runs — stale guard test fixtures

[JacobPEvans-personal]

Symptom

`Validate Claude Code Plugin` workflow has been failing on every push to `main` and on PRs since at least 2026-04-13 (~6 weeks). 74 of the last 100 runs are failures.

Root cause

The `git-permission-guard.py` hook was tightened on 2026-03-22 (commit `4edae25`, "close git-guards bypass allowing direct commits to main"). The implementation now `deny`s things that previously `ask`-ed or `silent_allow`-ed, but `git-guards/scripts/test_permission_guard.py` was never updated to match.

Three test cases assert outcomes that contradict the current guard:

Command	Expected	Got
`git push --force origin feature/my-branch`	`ask`	`deny`
`git -c some.key=echo-core.hooksPath commit -m test`	`silent_allow`	`deny`
`git -c user.name=test commit -m "allow -c core.hooksPath bypass example"`	`silent_allow`	`deny`

The third is a real false positive — the guard substring-matches `core.hooksPath` inside the `-m` message body, not just `-c key=value` flags.

Fix

Two-part:

1. Update test fixtures for force-push and the legitimate hooksPath-bypass case to expect `deny` (the tightened policy is intentional).
2. Fix the tokenizer in `git-permission-guard.py` to only inspect actual `-c key=value` flags, not arbitrary string occurrences in commit messages — then keep `silent_allow` for the third test.

Affected files

• `git-guards/scripts/git-permission-guard.py`
• `git-guards/scripts/test_permission_guard.py`
• `.github/workflows/validate-plugin.yml` (surfaces the failure on every push)