feat: enforce main branch protection in pre-push hook

[mpaulosky]

Summary

Adds Gate 0 to the pre-push hook that blocks direct pushes to main or master branches. This enforces the squad workflow documented in ceremonies.md.

Changes

• .git/hooks/pre-push — Added Gate 0 (main branch guard) that runs first and blocks pushes to protected branches
• scripts/hooks/pre-push — Synced template to match
• .squad/decisions.md — Documented the enforcement decision
• .squad/ceremonies.md — Added enforcement note to Standard Task Workflow

Before

git checkout main && git push  # ✅ Allowed (bad)

After

git checkout main && git push
❌ BLOCKED: Direct push to 'main' is not allowed.

📋 Squad Workflow requires:
   1. Create a feature branch: git checkout -b squad/{issue}-{slug}
   2. Make your changes and commit
   3. Push the branch: git push -u origin squad/{issue}-{slug}
   4. Create a PR: gh pr create --base main

Testing

• Verified guard blocks main push with clear error message
• Verified guard allows squad/* branch push
• All existing gates (copyright, formatting, tests) still run after Gate 0 passes

[github-actions]

Test Results Summary

  7 files  ±0   38 suites  ±0   14s ⏱️ -1s
840 tests ±0  840 ✅ +10  0 💤 ±0  0 ❌  - 10 
851 runs  ±0  851 ✅ +10  0 💤 ±0  0 ❌  - 10 

Results for commit 84ed21d. ± Comparison against base commit 889d6cb.

♻️ This comment has been updated with latest results.

[Copilot]

Pull request overview

Adds a new “Gate 0” to the repo’s pre-push hook to block direct pushes to protected branches (main/master), and documents the enforcement decision and workflow guidance in Squad docs.

Changes:

• Added Gate 0 (main/master push guard) to scripts/hooks/pre-push so it runs before existing gates.
• Recorded the enforcement decision in .squad/decisions.md.
• Updated .squad/ceremonies.md to note workflow enforcement and reformatted the Standard Task Workflow section.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File	Description
scripts/hooks/pre-push	Adds Gate 0 branch protection ahead of existing pre-push gates.
.squad/decisions.md	Documents the decision to enforce main/master push protection via pre-push.
.squad/ceremonies.md	Updates workflow docs to mention enforcement and adjusts formatting/structure.

---

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

Heading levels under “Standard Task Workflow” become inconsistent: Phase 1/2 are #####, but Phase 3–5 are ##, which jumps back up to the same level as “Defined Ceremonies”. This breaks the document hierarchy/TOC; make Phase 3–5 the same level as Phase 1/2 (and nested under #### Phases).

[Copilot]

This section says “all 6 pre-push gates must pass” and lists items like AppHost.Tests.Unit, but scripts/hooks/pre-push currently documents/runs 4 gates and does not run AppHost.Tests.Unit. Update this list/count so it matches what the hook actually enforces (including Gate 0 if intended).

[Copilot]

In the “Why” line, Ceremonies.md is referenced without the actual path used in this repo (.squad/ceremonies.md). Consider updating the reference so it’s easy to locate.

Suggested change

	**Why:** Ceremonies.md documents the Standard Task Workflow but it was not enforced. Direct push to main (commit 889d6cb) bypassed the PR process. Gate 0 now reads the remote ref and exits with error if target is main/master.
	**Why:** `.squad/ceremonies.md` documents the Standard Task Workflow but it was not enforced. Direct push to main (commit 889d6cb) bypassed the PR process. Gate 0 now reads the remote ref and exits with error if target is main/master.

[Copilot]

while read local_ref local_sha remote_ref remote_sha; do should use IFS= and read -r for consistent, robust parsing (the rest of this script already uses IFS= read -r). This avoids backslash-escape handling surprises and makes the style consistent.

Suggested change

	while read local_ref local_sha remote_ref remote_sha; do
	while IFS=' ' read -r local_ref local_sha remote_ref remote_sha; do

[Copilot]

The branch name placeholder in this guidance (squad/{issue}-{slug}) doesn’t match the pattern documented in .squad/ceremonies.md (squad/{issue-number}-{kebab-slug}). Consider aligning the placeholders to reduce confusion.

[Copilot]

PR description claims .git/hooks/pre-push was updated, but this repo appears to keep the hook under scripts/hooks/pre-push and install it into .git/hooks/ via scripts/hooks/install-hooks.sh. Consider updating the PR description (or adding .git/hooks/pre-push if you intend to track it) so the stated changed files match what’s actually included.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 58.89%. Comparing base (889d6cb) to head (84ed21d).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #104      +/-   ##
==========================================
+ Coverage   58.87%   58.89%   +0.01%     
==========================================
  Files         110      110              
  Lines        2495     2496       +1     
  Branches      254      254              
==========================================
+ Hits         1469     1470       +1     
  Misses        844      844              
  Partials      182      182              

Files with missing lines	Coverage Δ
...c/Api/Handlers/Categories/CreateCategoryHandler.cs	100.00% <100.00%> (ø)
src/Api/Handlers/Comments/CreateCommentHandler.cs	96.55% <100.00%> (ø)
src/Api/Handlers/Issues/CreateIssueHandler.cs	88.46% <100.00%> (+0.46%)	⬆️
src/Api/Handlers/Statuses/CreateStatusHandler.cs	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.