chore: add guardrails blocking author trailers in commits

Project policy (CLAUDE.md + CONVENTIONS.md) forbids co-author lines in
commit messages. One slipped into f6a621b despite the rule. Two layers added:

- scripts/git-hooks/commit-msg: client-side git hook that rejects any
  commit containing a co-author trailer. Activate: `make install-hooks`.
  Bypass: --no-verify (agent use only).

- .claude/hooks/no-coauthor.sh: Claude Code PreToolUse hook (exit 2) that
  hard-blocks Bash tool calls issuing git commit with the forbidden trailer,
  covering AI agent sessions as a second line of defense.

- GNUmakefile: new `install-hooks` target (configures core.hooksPath).
- .claude/settings.json: no-coauthor hook registered alongside serena-first.

Author: SoulKyu

.claude/hooks/no-coauthor.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env bash
+# PreToolUse hook: block git commit commands containing Co-Authored-By trailer.
+# Project policy (CLAUDE.md + CONVENTIONS.md) strictly forbids co-author lines.
+# This catches Claude Code sub-agents that include the trailer before --no-verify
+# is applied, providing a second layer of defense alongside the commit-msg git hook.
+#
+# Exit codes (Claude Code PreToolUse semantics):
+#   0  → allow
+#   2  → BLOCK (hard rejection, tool call not executed)
+set -euo pipefail
+
+input=$(cat)
+tool=$(echo "$input" | jq -r '.tool_name // ""')
+
+[[ "$tool" != "Bash" ]] && exit 0
+
+cmd=$(echo "$input" | jq -r '.tool_input.command // ""')
+
+# Only inspect git commit invocations
+if ! echo "$cmd" | grep -qE '(^|[[:space:]])git[[:space:]].*commit'; then
+  exit 0
+fi
+
+# Check for Co-Authored-By in the command string (covers -m "...", HEREDOC, etc.)
+if echo "$cmd" | grep -iE 'co-?authored-?by' > /dev/null 2>&1; then
+  cat >&2 <<'EOF'
+[no-coauthor] BLOCKED: git commit contains a Co-Authored-By trailer.
+Project policy (CLAUDE.md + CONVENTIONS.md) strictly forbids co-author lines.
+Remove the trailer from the commit message and retry.
+EOF
+  exit 2
+fi
+
+exit 0

.claude/settings.json

@@ -10,6 +10,15 @@
             "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/serena-first.sh\""
           }
         ]
+      },
+      {
+        "matcher": "Bash",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "bash \"$CLAUDE_PROJECT_DIR/.claude/hooks/no-coauthor.sh\""
+          }
+        ]
       }
     ]
   }

GNUmakefile

@@ -9,7 +9,7 @@ VERSION=dev
 OS_ARCH=$(shell go env GOOS)_$(shell go env GOARCH)
 PLUGIN_DIR=~/.terraform.d/plugins/$(HOSTNAME)/$(NAMESPACE)/$(TYPE)/$(VERSION)/$(OS_ARCH)
 
-.PHONY: build test testacc lint generate docs install dev-override clean default
+.PHONY: build test testacc lint generate docs install install-hooks dev-override clean default
 
 default: build
 
@@ -42,6 +42,11 @@ install: build
 	mkdir -p $(PLUGIN_DIR)
 	cp $(BINARY_NAME) $(PLUGIN_DIR)/terraform-provider-$(TYPE)
 
+install-hooks:
+	@git config core.hooksPath scripts/git-hooks
+	@echo "Git hooks installed (core.hooksPath = scripts/git-hooks)"
+	@echo "commit-msg hook will reject Co-Authored-By trailers."
+
 dev-override:
 	@echo 'Add this to ~/.terraformrc:'
 	@echo ''

scripts/git-hooks/commit-msg

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# commit-msg hook: reject Co-Authored-By trailers (project policy, CLAUDE.md + CONVENTIONS.md)
+# Install: make install-hooks (sets core.hooksPath to scripts/git-hooks)
+# Bypass:  git commit --no-verify  (discouraged, agent-only use case)
+set -euo pipefail
+
+msg_file="$1"
+
+if grep -iE '^[[:space:]]*co-?authored-?by[[:space:]]*:' "$msg_file" > /dev/null 2>&1; then
+  echo "ERROR [commit-msg]: Co-Authored-By trailer detected." >&2
+  echo "Project policy (CLAUDE.md + CONVENTIONS.md) forbids co-author lines." >&2
+  echo "Remove the trailer and retry. Use --no-verify to bypass (discouraged)." >&2
+  exit 1
+fi
+
+exit 0