Conversation
The deny-list hook previously tracked two pattern categories that are
best kept in the containing workspace rather than in public tracked
content: internal codenames and local workspace paths. Those patterns
are the artifacts the hook is meant to keep out of public content, so
enumerating them in a tracked file in a public repo inverts the goal.
This change keeps the hook as a backstop for AI-consultation process
language — meta-behavior descriptive in nature and safe to expose —
and drops the codename and workspace-path enumerations. Primary
enforcement for those categories now lives in the containing
workspace's hooks plus authoring-time agent awareness.
Hook behavior:
- pre-commit: still blocks commits containing process-language
patterns in staged .md/.txt/.yml/.yaml/.json/.cff/.toml files
- commit-msg: still blocks commit messages containing the same
patterns after stripping Co-Authored-By trailers
- Co-Authored-By trailer handling is unchanged
No behavioral change for public-facing content. The removed checks
had no hits in the current tracked tree (verified via the workspace
audit playbook).
Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the repo’s Lefthook deny-list hooks to only enforce generic, publicly safe “AI-consultation process language” patterns, removing workspace-specific codename/path enumerations that shouldn’t be tracked in a public repository.
Changes:
- Removes workspace-path and internal-codename pattern checks from the
pre-commitdeny-list scanner. - Removes those same workspace-specific checks from the
commit-msgdeny-list scanner. - Updates hook comments and user-facing error messaging to reflect the narrower scope.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| echo "" | ||
| echo "Process language in commit message. This is a PUBLIC repo." | ||
| echo "Describe what changed, not which models reviewed it." |
There was a problem hiding this comment.
The deny-list regex used just above this block includes reviewer [0-9]+\b with grep -E. On BSD/POSIX grep (macOS), \b is a backspace escape (not a word-boundary), so the hook can miss matches. Prefer a POSIX-portable boundary such as ([^[:alnum:]_]|$) after the number, or refactor to avoid \b.
| if [ ! -f "$file" ]; then continue; fi | ||
|
|
||
| # Process language (the patterns that actually leaked) | ||
| if grep -inE 'cross-model (review|consultation|spec review)|multi-model (synthesis|analysis|consultation|spec review)|three-model consultation|two-model consultation|round [0-9]+ (review|verify|cross-model|findings)|consulted (codex|gemini|claude)|adversarial review|(codex|gemini|claude) feedback|reviewer [0-9]+\b|session handover|model attributions' "$file" 2>/dev/null; then |
There was a problem hiding this comment.
The regex uses \b (e.g., reviewer [0-9]+\b) under grep -E. In POSIX/BSD grep, \b is a backspace escape (not a word-boundary), so this can silently fail to match on macOS and weaken the deny-list. Use a POSIX-portable boundary (e.g., ([^[:alnum:]_]|$) after the number) or restructure the pattern to avoid \b.
Summary
The deny-list hook previously tracked two pattern categories that belong in the containing workspace rather than in public tracked content: internal codenames and local workspace paths. Enumerating those artifacts in a tracked file in a public repo inverts the hook's own goal.
This PR drops the codename and workspace-path enumerations from
lefthook.ymland keeps the hook as a backstop for AI-consultation process language — meta-behavior descriptive in nature and safe to expose publicly.Behavior after
pre-commitstill blocks commits containing process-language patterns in staged.md/.txt/.yml/.yaml/.json/.cff/.tomlfilescommit-msgstill blocks commit messages containing the same patterns (after stripping Co-Authored-By trailers)Why safe
Verification
ruby -ryaml -e "YAML.load_file('lefthook.yml')"— validlefthook run pre-commit— all rules passlefthook run commit-msgon this PR's commit — deny-list + validate both passTest plan