Summary: Reviewed hooks/pre-push-codereview.sh, tests/lint-skills.sh, and tests/test-pre-push-hook.sh at HEAD 85189b4 (the commit that hardened the push gate's detection: operator/newline/subshell normalization in is_git_push, a conservative refspec-scoped is_tag_only_push, and the shared _push_subcommand_indices walk). No exploitable issues. The hook never executes the inspected command: it parses tool_input.command from stdin JSON as text only, with no eval and no dynamic exec, so the new normalization and tokenization add no injection sink. The test harness builds payloads with jq -n --arg (correct quoting) and pipes them as stdin to bash "${HOOK}"; the command string is data, never run. Fail-closed paths verified: a missing or broken codereview-marker exits 2 (refuses the push), never "Allowing push," and lint enforces this. Markers remain per-user under ${XDG_CACHE_HOME:-${HOME}/.cache}/claude-codereview/ (0700), not the old /tmp symlink-race path. No secrets in the files or their git history; the only secret-shaped hits are comment/test prose. The sole email is test@test.invalid (RFC 6761 reserved). The /home/peter/... fixture path is the peter username, an already-accepted risk.

This change resolves the standing "Tag-bypass regex in pre-push hook" accepted risk: a combined branch+tag push, or a stray v[0-9] token elsewhere in the command, no longer skips the gate. is_tag_only_push now judges each push by its own refspec arguments and skips only when every push invocation is tag-only. The residual detection limits below are recorded at the same advisory-gate calibration.

• [NOTE] hooks/pre-push-codereview.sh — push detection is heuristic and misses wrapper/prefix invocations. is_git_push does not detect git reached as env git push, command git push, bash -c "git push", eval "git push", /usr/bin/git push (absolute path), xargs git push, or GIT_DIR=/x git push; each would let a push bypass the codereview gate. Related: is_tag_only_push's name-based tag test (^v[0-9]) treats a branch named like a version (e.g. git push origin v2-rewrite) as a tag and skips it. Not BLOCK/WARN: the gate is an advisory workflow guard against an unsupervised agent, not a security boundary against the human operator, who owns the machine and can bypass trivially (codereview-skip, git push --no-verify, or editing the hook). The hook explicitly accepts that a full shell parser is out of scope and biases toward over-detection. Closing the wrapper-miss would require recognizing command prefixes/absolute paths; closing the branch-name case would require a git ref-type lookup. Recorded under Accepted Risks.

• PII in source files (hw-bootstrap.sh, LICENSE, NOTICE, README.md, and other references to peterzat): Inherent to a personal dotfiles repo. Reviewed and accepted.
• Pre-push gate detection is heuristic, not a shell parser (hooks/pre-push-codereview.sh): is_git_push misses wrapper/prefix invocations (env, command, bash -c, eval, absolute-path, xargs, env-var prefix); is_tag_only_push treats a branch named v[0-9]... as a tag. Both let a push bypass the advisory codereview gate. Accepted under the advisory-gate threat model (the human operator can bypass trivially and the misses are visible in the transcript); the hook is intentionally simple, biased toward over-detection. Supersedes the prior "Tag-bypass regex" risk, whose specific combined-branch+tag / stray-token case is now fixed.
• Vendor curl | bash installers (hw-bootstrap.sh: NodeSource, Tailscale, Claude Code): Remote code execution by design over HTTPS to first-party vendor domains; the documented purpose of a bootstrap script. Not checksum-pinned, consistent with the accepted-risk philosophy for first-party supply-chain trust on this box.
• Predictable /tmp/cuda-keyring.deb path (hw-bootstrap.sh:163-168): TOCTOU vector only on a multi-user host; immaterial on the documented single-user target (/tmp sticky bit, only UID 1000). Recorded by the 2026-06-03 entry.
• Diff content forwarded to third-party APIs (bin/review-external.sh): The full git diff is sent to OpenAI and Google when configured. Secrets in the diff would be exposed. This is the script's explicit purpose; the user opts in by configuring API keys.
• API key in curl -H "Authorization: Bearer ${api_key}" (bin/review-external.sh:246, 337): The header argument is visible in /proc/<pid>/cmdline to any local user during the curl invocation window. Not exploitable on this single-user dev box. Recorded by the SECURITY.md 2026-05-03 entry.

Prior review (2026-06-03, scope: paths): Reviewed hw-bootstrap.sh at edfe7cb (gh + NodeSource install steps). 0 BLOCK / 0 WARN / 1 NOTE (predictable /tmp CUDA keyring path, immaterial on the single-user target). Vendor curl|bash and PII risks accepted.