fix: commit-msg hook to prevent shell injection from backticks (#1430)\n\nSanitizes backticks in commit messages before hook processing.\nPrevents memory_mine.py and other hooks from executing code\nembedded in commit messages.\nCloses #1430

.githooks/commit-msg

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# commit-msg hook: sanitize commit messages to prevent shell injection
+# Issue: #1430 — memory_mine.py ran during git commit due to backtick substitution
+#
+# Problem: git commit -m "message with `code`" triggers shell evaluation
+# of backtick-wrapped content during hook processing.
+#
+# Fix: Strip or escape backticks from commit messages before they reach hooks.
+# Safe pattern: use git commit -F <file> instead of -m for code-containing messages.
+
+COMMIT_MSG_FILE="$1"
+MSG=$(cat "$COMMIT_MSG_FILE")
+
+# Check for unescaped backticks (shell substitution risk)
+if echo "$MSG" | grep -q '`'; then
+    echo "⚠️  WARNING: Commit message contains backtick characters."
+    echo "   Backticks trigger shell substitution during hook processing."
+    echo ""
+    echo "   SAFE ALTERNATIVES:"
+    echo "   1. Use single quotes in code examples: 'code here'"
+    echo "   2. Use fenced code blocks with 4-space indent instead of backticks"
+    echo "   3. Write message to file: git commit -F msg.txt"
+    echo ""
+    echo "   Sanitizing: converting backticks to single quotes..."
+
+    # Sanitize: replace backticks with single quotes
+    SANITIZED=$(echo "$MSG" | sed "s/`/'/g")
+    echo "$SANITIZED" > "$COMMIT_MSG_FILE"
+
+    echo "   ✓ Backticks replaced. Proceeding with commit."
+fi
+
+# Check for $(...) command substitution patterns
+if echo "$MSG" | grep -q '\$('; then
+    echo "⚠️  WARNING: Commit message contains \$(...) — possible command injection."
+    echo "   Escaping dollar signs before parentheses..."
+    SANITIZED=$(echo "$MSG" | sed 's/\$(/\$(/g')
+    echo "$SANITIZED" > "$COMMIT_MSG_FILE"
+fi