fix(hooks): restore Linear issue reference blocking in commit-msg.mts

The bash-to-TypeScript migration of commit-msg dropped the Linear issue
reference blocking. Add scanLinearReferences() to _helpers.mts (matching
the original team-key regex and linear.app URL check) and invoke it from
commit-msg.mts to block commits containing internal tracker references.

Author: cursoragent

.git-hooks/_helpers.mts

@@ -382,6 +382,41 @@ export const scanLoggerLeaks = (text: string): LineHit[] => {
   return hits
 }
 
+// ── Linear issue reference scanner ──────────────────────────────────
+//
+// Linear tracking lives in Linear; keep commit history tool-agnostic.
+// Team keys enumerated from the Socket workspace. PATCH listed before
+// PAT so the engine matches the longer prefix first.
+
+const LINEAR_TEAM_KEYS =
+  'ASK|AUTO|BOT|CE|CORE|DAT|DES|DEV|ENG|INFRA|LAB|MAR|MET|OPS|PAR|PATCH|PAT|PLAT|REA|SALES|SBOM|SEC|SMO|SUP|TES|TI|WEB'
+
+const LINEAR_ISSUE_RE = new RegExp(
+  `(?:^|[^A-Za-z0-9_])((?:${LINEAR_TEAM_KEYS})-[0-9]+)(?:$|[^A-Za-z0-9_])`,
+)
+const LINEAR_URL_RE = /linear\.app\/[A-Za-z0-9/_-]+/
+
+// Scans commit-message text for Linear issue references (team-key
+// patterns like SMO-590 and linear.app URLs). Ignores git comment
+// lines (lines starting with `#`).
+export const scanLinearReferences = (text: string): string[] => {
+  const hits: string[] = []
+  for (const line of text.split('\n')) {
+    if (line.startsWith('#')) {
+      continue
+    }
+    const issueMatch = line.match(LINEAR_ISSUE_RE)
+    if (issueMatch) {
+      hits.push(issueMatch[1]!)
+    }
+    const urlMatch = line.match(LINEAR_URL_RE)
+    if (urlMatch) {
+      hits.push(urlMatch[0])
+    }
+  }
+  return hits.slice(0, 5)
+}
+
 // ── AI attribution scanner ─────────────────────────────────────────
 
 const AI_ATTRIBUTION_RE =

.git-hooks/commit-msg.mts

@@ -1,11 +1,13 @@
 #!/usr/bin/env node
 // Socket Security Commit-msg Hook
 //
-// Two responsibilities:
+// Three responsibilities:
 //   1. Block commits that introduce API keys / .env files (security
 //      layer that runs even when pre-commit is bypassed via
 //      `--no-verify`).
-//   2. Auto-strip AI attribution lines from the commit message before
+//   2. Block commits whose message references Linear issues (keep
+//      commit history tool-agnostic).
+//   3. Auto-strip AI attribution lines from the commit message before
 //      git records the commit.
 //
 // Wired via .husky/commit-msg, which invokes this with the path to the
@@ -23,6 +25,7 @@ import {
   out,
   red,
   readFileForScan,
+  scanLinearReferences,
   scanSocketApiKeys,
   shouldSkipFile,
   stripAiAttribution,
@@ -67,8 +70,26 @@ const main = (): number => {
     }
   }
 
-  // Auto-strip AI attribution lines from the commit message.
+  // Block Linear issue references in the commit message.
   const commitMsgFile = process.argv[2]
+  if (commitMsgFile && existsSync(commitMsgFile)) {
+    const msgText = readFileSync(commitMsgFile, 'utf8')
+    const linearHits = scanLinearReferences(msgText)
+    if (linearHits.length > 0) {
+      out(red('✗ Commit message references Linear issue(s):'))
+      for (const hit of linearHits) {
+        out(`  ${hit}`)
+      }
+      out(
+        red(
+          'Linear tracking lives in Linear. Remove the reference from the commit message.',
+        ),
+      )
+      errors++
+    }
+  }
+
+  // Auto-strip AI attribution lines from the commit message.
   if (commitMsgFile && existsSync(commitMsgFile)) {
     const original = readFileSync(commitMsgFile, 'utf8')
     const { cleaned, removed } = stripAiAttribution(original)