docs: extend commit rules to cover tooling-path enumeration

The no-attribution rules covered AI credit but not incidental mentions of tooling filenames in commit prose. The case that bit: a .gitignore commit naming .claude, CLAUDE.md, and .ai in its message leaks the tooling layer into a public log. Adds a tooling-path-enumeration ban with that gitignore case named, extends the Before-Committing scan, and adds the missing paths to the protocols keep-out list. Both carry the file-is-the-change and private-single-user-repo exemptions, so a rule edit or a rulesets commit can still name what it touched.

3 files changed, 5 insertions, 3 deletions

diff --git a/.ai/protocols.org b/.ai/protocols.org
index 05f889b..da6928f 100644
--- a/.ai/protocols.org
+++ b/.ai/protocols.org
@@ -427,7 +427,7 @@ When creating commits:
    - Keep messages clear and informative
 
 3. **No Claude-tooling artifacts**: Commit messages describe project changes only — the meta-process of how work got shipped stays out of public git history.
-   - **ABSOLUTELY NO** mentions of =notes.org=, =session-context.org=, =.ai/sessions/=, =todo.org=, "session wrap-up", or session timestamps (e.g., "Session YYYY-MM-DD HH:MM → ...")
+   - **ABSOLUTELY NO** mentions of =notes.org=, =session-context.org=, =.ai/= (including =.ai/sessions/=), =.claude/=, =CLAUDE.md=, =todo.org=, "session wrap-up", or session timestamps (e.g., "Session YYYY-MM-DD HH:MM → ..."), except when one of those files is itself the change — then name what changed by category, not the surrounding tooling layer
    - Subject lines must NEVER start with =session:= as a conventional-commit type — use =docs:=, =refactor:=, =fix:=, =feat:=, =chore:=, etc. (real change categories)
    - When a wrap-up commit bundles many changes from a session, describe what /shipped/ (e.g., =refactor: extract RAID logic + add bats testing infrastructure=), not that a session happened
    - Same spirit as the no-Claude-attribution rule: the tooling stays invisible in =git log=
diff --git a/claude-rules/commits.md b/claude-rules/commits.md
index a3ec0f2..5fe8f1b 100644
--- a/claude-rules/commits.md
+++ b/claude-rules/commits.md
@@ -185,6 +185,8 @@ Don't write "per `testing.md`, integration tests must hit a real DB" or "the rul
 
 Edge case: when one of these files *is* the change (a commit in the rulesets repo, an edit to a project's `CLAUDE.md`), describe what changed and why without invoking the wider personal-rules layer around it. The commit can absolutely say "tighten testing rule for legacy code". It shouldn't say "per the personal-rules layer this file is loaded into…".
 
+**Tooling-path enumeration is the same leak.** Citing a rule as authority isn't the only way the tooling layer leaks into history. A commit whose *content* must name these paths — a `.gitignore` adding `.claude/`, `CLAUDE.md`, `.ai/` — has unavoidable, correct file content, but its *message prose* must not enumerate them ("chore: ignore .claude tooling, CLAUDE.md, and session files"). On a public or shared-remote repo that enumeration exposes the tooling layer's structure in the log just as a citation would. Name the category instead: "chore: extend gitignore for local tooling and build artifacts". The same holds for any incidental mention, not only `.gitignore` commits. Two exemptions: a commit whose change *is* one of these files (the edge case above), and private single-user repos with no shared remote, where the history is the project and there's no third party to leak to.
+
 Different artifact types carry different content. Don't duplicate.
 
 **PR descriptions:** four sections, in order.
@@ -452,7 +454,7 @@ independent gate.
 ## Before Committing
 
 1. Check author identity: `git log -1 --format='%an <%ae>'` — should be the user.
-2. Scan the message for AI-attribution language (including emojis and footers).
+2. Scan the message for AI-attribution language (including emojis and footers), and on a public or shared-remote repo for tooling-path enumeration — prose that lists `CLAUDE.md`, `.claude/`, `.ai/`, `todo.org`, `notes.org`, or `session-context`. Name the category, not the paths. Exempt: a commit whose change is one of those files, and private single-user repos.
 3. Review the diff — only intended changes staged; no unrelated files.
 4. Confirm staged files belong in the repo: nothing that the project's policy keeps untracked (the personal-tooling set in gitignore-mode projects), and in repos with a canonical/mirror split, the edit is on the canonical side — a mirror-only edit gets reverted by the next sync.
 5. Run tests and linters (see `verification.md`).
diff --git a/claude-templates/.ai/protocols.org b/claude-templates/.ai/protocols.org
index 05f889b..da6928f 100644
--- a/claude-templates/.ai/protocols.org
+++ b/claude-templates/.ai/protocols.org
@@ -427,7 +427,7 @@ When creating commits:
    - Keep messages clear and informative
 
 3. **No Claude-tooling artifacts**: Commit messages describe project changes only — the meta-process of how work got shipped stays out of public git history.
-   - **ABSOLUTELY NO** mentions of =notes.org=, =session-context.org=, =.ai/sessions/=, =todo.org=, "session wrap-up", or session timestamps (e.g., "Session YYYY-MM-DD HH:MM → ...")
+   - **ABSOLUTELY NO** mentions of =notes.org=, =session-context.org=, =.ai/= (including =.ai/sessions/=), =.claude/=, =CLAUDE.md=, =todo.org=, "session wrap-up", or session timestamps (e.g., "Session YYYY-MM-DD HH:MM → ..."), except when one of those files is itself the change — then name what changed by category, not the surrounding tooling layer
    - Subject lines must NEVER start with =session:= as a conventional-commit type — use =docs:=, =refactor:=, =fix:=, =feat:=, =chore:=, etc. (real change categories)
    - When a wrap-up commit bundles many changes from a session, describe what /shipped/ (e.g., =refactor: extract RAID logic + add bats testing infrastructure=), not that a session happened
    - Same spirit as the no-Claude-attribution rule: the tooling stays invisible in =git log=