* fix(#3129): replace bypassed bash regex with token-walk git-cmd.js classifier
Root cause: gsd-validate-commit.sh used:
if [[ "$CMD" =~ ^git[[:space:]]+commit ]]
This regex silently bypasses Conventional Commits enforcement for:
git -C /path commit -m ... (working-directory prefix)
GIT_AUTHOR_NAME=x git commit (env-var prefix)
/usr/bin/git commit -m ... (full-path executable)
Fix: introduces hooks/lib/git-cmd.js with isGitSubcommand(cmd, sub) —
a token-walk classifier that handles all four forms by:
1. Skipping leading VAR=VALUE env assignments
2. Validating the git executable (basename check for full-path support)
3. Consuming git global options (-C <path>, --git-dir=, -p, etc.)
4. Checking the subcommand token
The hook delegates to this classifier via node shell-out. node is
already called twice in this hook (config check + JSON parse), so no
new runtime dependency.
This becomes the single source of truth for all hooks that gate on
git subcommands (pre-commit-review-gate, post-push-verify, etc.).
Regression test: 27 assertions — tokenize correctness, 12 must-match
cases (including all 3 bypass forms), 8 must-not-match cases, 3 source
checks. All are real behavioral tests, not string comparisons.
Suite: 7035/7035. Closes#3129.
* fix(lint+hook+changeset): allow-test-rule, fix HOOK_DIR quote injection, fix changeset pr+typo
