chore: harden dual-remote git workflow

.githooks/pre-push

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+remote_name="${1:-}"
+remote_url="${2:-}"
+
+if [[ "$remote_name" != "tubco" && "$remote_url" != *"git.tub.co"* ]]; then
+  exit 0
+fi
+
+allowed=0
+
+while read -r local_ref local_sha remote_ref remote_sha; do
+  [[ -z "${local_ref:-}" ]] && continue
+
+  case "$local_ref" in
+    refs/heads/release/tubco-*)
+      allowed=1
+      ;;
+    refs/tags/tubco-baseline-*)
+      allowed=1
+      ;;
+    *)
+      echo "Blocked push to 'tubco': '$local_ref' is not an approved customer ref." >&2
+      echo "Allowed refs:" >&2
+      echo "  refs/heads/release/tubco-*" >&2
+      echo "  refs/tags/tubco-baseline-*" >&2
+      echo "Use origin for normal product work." >&2
+      exit 1
+      ;;
+  esac
+done
+
+if [[ "$allowed" -eq 0 ]]; then
+  echo "Blocked push to 'tubco': no approved TUBCO refs were detected." >&2
+  exit 1
+fi
+
+exit 0

CONTRIBUTING.md

@@ -58,6 +58,17 @@ Default rule:
 - normal product work goes to `origin`
 - TUBCO pushes happen only when explicitly requested
 
+Safety rules in this repo:
+- plain `git push` should default to `origin`
+- pushes to `tubco` are guarded by a repo-local `pre-push` hook
+- only these refs should go to `tubco`:
+  - `release/tubco-*`
+  - `tubco-baseline-*`
+
+Authentication rule:
+- prefer a personal access token for the `tubco` HTTPS remote
+- do not rely on a reusable account password long term
+
 ## Current Delivery Model
 - GitHub Actions is used for CI
 - the current test server is local/LAN-only

backend/workflows/templates/workflows/developer_handbook.html

@@ -104,6 +104,7 @@
       </ul>
       <pre><code>./scripts/git_remote_target.sh status</code></pre>
       <p>Use the helper above before pushing if there is any doubt about which remote should receive the change.</p>
+      <p>Plain <code>git push</code> should default to <code>origin</code>, and a repo-local <code>pre-push</code> hook blocks accidental pushes to <code>tubco</code> unless the ref is an approved TUBCO branch or baseline tag.</p>
     </div>
     <div class="box">
       <h3>Customer release branches</h3>
@@ -696,6 +697,7 @@ docker compose restart worker</code></pre>
       <pre><code>./scripts/git_remote_target.sh set-own-identity
 ./scripts/git_remote_target.sh set-tubco-identity</code></pre>
       <p>Switch between the normal commit identity and the TUBCO customer identity when needed.</p>
+      <p>For the TUBCO HTTPS remote, prefer a personal access token instead of a reusable account password.</p>
     </div>
     <div class="box">
       <h3>Direct server deployment</h3>

scripts/git_remote_target.sh

@@ -18,7 +18,8 @@ Usage:
 
 Commands:
   status
-      Show current branch, current commit, active local git identity, and configured remotes.
+      Show current branch, current commit, active local git identity, configured remotes,
+      and the local push-safety settings.
 
   push-origin [ref]
       Push a ref to the main product remote "origin".
@@ -59,11 +60,20 @@ show_identity() {
   fi
 }
 
+show_push_safety() {
+  local push_default hooks_path
+  push_default="$(git config --local --get remote.pushDefault || true)"
+  hooks_path="$(git config --local --get core.hooksPath || true)"
+  echo "remote.pushDefault: ${push_default:-<unset>}"
+  echo "core.hooksPath: ${hooks_path:-<unset>}"
+}
+
 case "${1:-}" in
   status)
     echo "Branch: $(current_branch)"
     echo "Commit: $(git rev-parse --short HEAD)"
     show_identity
+    show_push_safety
     echo
     echo "Remotes:"
     git remote -v