chore(claude): add private-name-guard hook + rule

Sibling to public-surface-reminder. Fires on the same set of public-
surface bash commands (git commit, git push, gh pr/issue/api/release
write) and prints a stderr nudge to omit any private repo or internal
project name. Never blocks; pure attention priming.

CLAUDE.md grows a corresponding rule. The hook is the priming nudge;
the rule applies even when the hook isn't installed.

Author: jdalton

.claude/hooks/private-name-guard/README.md

@@ -0,0 +1,59 @@
+# private-name-guard
+
+`PreToolUse` hook that **never blocks**. On every `Bash` command that
+would publish text to a public Git/GitHub surface, writes a short
+reminder to stderr so the model re-reads the command with the rule
+freshly in mind:
+
+> No private repos or internal project names in public surfaces. Omit
+> the reference entirely — don't substitute a placeholder. The
+> placeholder itself is a tell.
+
+Attention priming, not enforcement. The model is responsible for
+applying the rule — the hook just ensures the rule is in the active
+context at the moment the command is about to fire.
+
+Sibling to `public-surface-reminder`, which covers customer/company
+names and internal work-item IDs. The two hooks compose: both fire on
+the same public-surface commands, each priming a distinct slice of the
+rule set.
+
+## What counts as "public surface"
+
+- `git commit` (including `--amend`)
+- `git push`
+- `gh pr (create|edit|comment|review)`
+- `gh issue (create|edit|comment)`
+- `gh api -X POST|PATCH|PUT`
+- `gh release (create|edit)`
+
+Any other `Bash` command passes through silently.
+
+## Why no denylist
+
+Because a denylist is itself a leak. A file named `private-projects.txt`
+that enumerates "these are our internal repos" is worse than no list at
+all — anyone who finds it gets the org's full internal map for free.
+Recognition happens at write time, every time, by the model reading the
+text it's about to send. The hook just makes sure that read happens.
+
+## Wiring
+
+`.claude/settings.json`:
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [{ "type": "command", "command": "node .claude/hooks/private-name-guard/index.mts" }]
+      }
+    ]
+  }
+}
+```
+
+## Exit code
+
+Always `0`. The hook never blocks; it only prints to stderr.

.claude/hooks/private-name-guard/index.mts

@@ -0,0 +1,89 @@
+#!/usr/bin/env node
+// Claude Code PreToolUse hook — private-name guard.
+//
+// Never blocks. On every Bash command that would publish text to a public
+// Git/GitHub surface (git commit, git push, gh pr/issue/api/release write),
+// writes a short reminder to stderr so the model re-reads the command with
+// the rule freshly in mind:
+//
+//   No private repos or internal project names in public surfaces.
+//   Omit the reference entirely — don't substitute a placeholder.
+//
+// Exit code is always 0. This is attention priming, not enforcement. The
+// model is responsible for applying the rule — the hook just makes sure
+// the rule is in the active context at the moment the command is about
+// to fire.
+//
+// Deliberately carries no enumerated denylist. Recognition and replacement
+// happen at write time, not via a list of names. A denylist is itself a
+// leak — a file named `private-projects.txt` would be the very thing it
+// tries to prevent.
+//
+// Reads a Claude Code PreToolUse JSON payload from stdin:
+//   { "tool_name": "Bash", "tool_input": { "command": "..." } }
+
+import { readFileSync } from 'node:fs'
+
+type ToolInput = {
+  tool_name?: string
+  tool_input?: {
+    command?: string
+  }
+}
+
+// Commands that can publish content outside the local machine.
+// Keep broad — better to remind on an extra read than miss a write.
+const PUBLIC_SURFACE_PATTERNS: RegExp[] = [
+  /\bgit\s+commit\b/,
+  /\bgit\s+push\b/,
+  /\bgh\s+pr\s+(create|edit|comment|review)\b/,
+  /\bgh\s+issue\s+(create|edit|comment)\b/,
+  /\bgh\s+api\b[^|]*-X\s*(POST|PATCH|PUT)\b/i,
+  /\bgh\s+release\s+(create|edit)\b/,
+]
+
+function isPublicSurface(command: string): boolean {
+  const normalized = command.replace(/\s+/g, ' ')
+  return PUBLIC_SURFACE_PATTERNS.some(re => re.test(normalized))
+}
+
+function main(): void {
+  let raw = ''
+  try {
+    raw = readFileSync(0, 'utf8')
+  } catch {
+    return
+  }
+
+  let input: ToolInput
+  try {
+    input = JSON.parse(raw)
+  } catch {
+    return
+  }
+
+  if (input.tool_name !== 'Bash') {
+    return
+  }
+  const command = input.tool_input?.command
+  if (!command || typeof command !== 'string') {
+    return
+  }
+  if (!isPublicSurface(command)) {
+    return
+  }
+
+  const lines = [
+    '[private-name-guard] This command writes to a public Git/GitHub surface.',
+    '  • Re-read the commit message / PR body / comment BEFORE it sends.',
+    '  • No private repo names. No internal project codenames. No unreleased',
+    '    product names. No internal-only tooling repos absent from the public',
+    '    org page. No customer/partner names.',
+    '  • Omit the reference entirely. Do not substitute a placeholder — the',
+    '    placeholder itself is a tell.',
+    '  • If you spot one, cancel and rewrite the text first.',
+  ]
+  process.stderr.write(lines.join('\n') + '\n')
+}
+
+main()

.claude/hooks/private-name-guard/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "hook-private-name-guard",
+  "private": true,
+  "type": "module",
+  "main": "./index.mts",
+  "exports": {
+    ".": "./index.mts"
+  },
+  "devDependencies": {
+    "@types/node": "24.9.2"
+  }
+}

.claude/settings.json

@@ -19,11 +19,15 @@
         "hooks": [
           {
             "type": "command",
-            "command": "node .claude/hooks/token-guard/index.mts"
+            "command": "node .claude/hooks/private-name-guard/index.mts"
           },
           {
             "type": "command",
             "command": "node .claude/hooks/public-surface-reminder/index.mts"
+          },
+          {
+            "type": "command",
+            "command": "node .claude/hooks/token-guard/index.mts"
           }
         ]
       }

CLAUDE.md

@@ -144,6 +144,7 @@ See `docs/references/error-messages.md` for worked examples and anti-patterns.
 - Forbidden to create docs unless requested
 - 🚨 **NEVER use `npx`, `pnpm dlx`, or `yarn dlx`** — use `pnpm exec` or `pnpm run` # zizmor: documentation-prohibition
 - **minimumReleaseAge**: NEVER add packages to `minimumReleaseAgeExclude` in CI. Locally, ASK before adding — the age threshold is a security control.
+- 🚨 **NEVER mention private repos or internal project names** in commits, PR titles/descriptions/comments, issues, release notes, or any public-surface text. Internal codenames, unreleased product names, internal tooling repo names not on the public org page, customer names, partner names — none belong in public surfaces. **Omit the reference entirely.** Don't substitute a placeholder ("an internal tool", "a downstream consumer", etc.) — the placeholder itself is a tell that something is being elided. Rewrite the sentence to not need the reference at all. The `.claude/hooks/private-name-guard` hook re-prints this rule on every public-surface `git`/`gh` command as a priming nudge; the rule applies even when the hook isn't installed.
 
 ## DOCUMENTATION POLICY