Tighten post-receive hook based on review
Move the push out of the hook into Repo::push_to_mirror so the actual
push logic is unit-testable independent of GIT_DIR/stdin orchestration.
Reject mirror URLs that embed credentials at deserialization, since a
typo would leak the token via tracing or Sentry. Make terminal-stdin
invocation an error rather than a silent no-op — running the hook
manually is a misuse, not a state.
Documents the env-var token exposure (visible in /proc/<pid>/environ)
as a known limitation in the helper's docstring; revisit when the CI
runner lands. Updates README to describe the PAT approach instead of
the per-repo deploy key the original design called for.
Assisted-by: Claude Opus 4.7 via Claude Code
projects / quire.git / commit