Merge pull request #39 from AxmeAI/feat/gate-cleanup-20260407

refactor: simplify gate hook, fix marker-in-message edge case

Author: George-iam

src/hooks/pre-tool-use.ts

@@ -149,44 +149,13 @@ function handlePreToolUse(sessionOrigin: string, event: HookInput): void {
       const rules = loadRulesForBash();
       verdict = checkBash(rules, command);
       if (!verdict.allowed) break;
-      // Track effective cwd through cd/pushd segments, then check each git
-      // segment with the correct cwd. If cwd cannot be determined (variables,
-      // subshells), block with instruction to use git -C.
-      // If chain contains git checkout (branch switch), skip merged-PR check
-      // because the hook runs BEFORE execution - current branch will change.
+      // Split chained commands and check each git segment independently.
+      // No cwd tracking needed - #!axme gate carries repo/PR explicitly.
       const segments = splitCommandSegments(command);
-      const hasCheckout = segments.some(s => /^\s*git\s+(checkout|switch)\b/.test(s.trim()));
-      let effectiveCwd = process.cwd();
-      let cwdResolved = true;
       for (const seg of segments) {
         const trimmed = seg.trim();
-        // Track cd/pushd
-        const cdMatch = trimmed.match(/^(?:cd|pushd)\s+["']?([^\s"']+)["']?$/);
-        if (cdMatch) {
-          const target = cdMatch[1];
-          if (target.includes("$") || target.includes("`")) {
-            cwdResolved = false;
-          } else {
-            const { resolve: pathResolve } = require("node:path");
-            const expanded = target.startsWith("~") ? target.replace("~", process.env.HOME || "") : target;
-            effectiveCwd = pathResolve(effectiveCwd, expanded);
-          }
-          continue;
-        }
-        // Check git segments
         if (/^\s*git\b/.test(trimmed)) {
-          // Parse git -C override
-          const cFlagMatch = trimmed.match(/git\s+-C\s+["']?([^\s"']+)["']?/);
-          let gitCwd = effectiveCwd;
-          if (cFlagMatch) {
-            const { resolve: pathResolve } = require("node:path");
-            gitCwd = pathResolve(effectiveCwd, cFlagMatch[1]);
-          } else if (!cwdResolved) {
-            verdict = { allowed: false, reason: `Cannot determine target directory for git command. Use explicit path: git -C /absolute/path ${trimmed.replace(/^git\s+/, '')}` };
-            break;
-          }
-          // Skip merged-PR check if chain includes checkout (branch will change)
-          verdict = checkGit(rules, trimmed, gitCwd, hasCheckout);
+          verdict = checkGit(rules, trimmed);
           if (!verdict.allowed) break;
         }
       }

src/storage/safety.ts

@@ -329,7 +329,11 @@ export function checkBash(rules: SafetyRules, command: string): SafetyVerdict {
  * Returns null if no #!axme marker found.
  */
 export function parseAxmeGate(command: string): { pr: string; repo: string } | null {
-  const match = command.match(/#!axme\s+(.*)/);
+  // Use the LAST occurrence of #!axme (the suffix), not one inside a commit message.
+  const lastIdx = command.lastIndexOf("#!axme");
+  if (lastIdx === -1) return null;
+  const suffix = command.slice(lastIdx);
+  const match = suffix.match(/^#!axme\s+(.*)/);
   if (!match) return null;
   const pairs = match[1].trim();
   const prMatch = pairs.match(/\bpr=(\S+)/);
@@ -400,7 +404,7 @@ function checkAxmeGate(fullCommand: string): SafetyVerdict | null {
  * and the `+refspec` form (`git push origin +main`) are all recognized;
  * `-fixes` and similar substrings are not.
  */
-export function checkGit(rules: SafetyRules, command: string, cwd?: string, skipMergedCheck?: boolean): SafetyVerdict {
+export function checkGit(rules: SafetyRules, command: string, _cwd?: string, skipMergedCheck?: boolean): SafetyVerdict {
   // Strip "git -C <path>" so startsWith checks work: "git -C foo commit" -> "git commit"
   const stripped = stripQuoted(command.trim()).replace(/^(git\s+)(?:-C\s+\S+\s+)+/, "$1");
   if (!rules.git.allowForcePush && stripped.startsWith("git push")) {