feat(hooks): block bundled test+commit, require full suite before commit

I tightened the before-committing rule in verification.md and commits.md from "run tests" to "run the full suite as its own step and commit only on zero failures." A PreToolUse hook now backs it: it denies a test runner chained into git commit through an ungated connector, and lets the gated && form pass. I added a respond_deny helper. Tests cover the connector cases.

1 files changed, 1 insertions, 1 deletions

diff --git a/claude-rules/commits.md b/claude-rules/commits.md
index 5fe8f1b..4509cee 100644
--- a/claude-rules/commits.md
+++ b/claude-rules/commits.md
@@ -457,7 +457,7 @@ independent gate.
 2. Scan the message for AI-attribution language (including emojis and footers), and on a public or shared-remote repo for tooling-path enumeration — prose that lists `CLAUDE.md`, `.claude/`, `.ai/`, `todo.org`, `notes.org`, or `session-context`. Name the category, not the paths. Exempt: a commit whose change is one of those files, and private single-user repos.
 3. Review the diff — only intended changes staged; no unrelated files.
 4. Confirm staged files belong in the repo: nothing that the project's policy keeps untracked (the personal-tooling set in gitignore-mode projects), and in repos with a canonical/mirror split, the edit is on the canonical side — a mirror-only edit gets reverted by the next sync.
-5. Run tests and linters (see `verification.md`).
+5. Run the full test suite and linters as their own step, read the result, and commit only on zero failures — never chain the run into the commit command (see `verification.md`).
 
 ## If You Catch Yourself