## Summary
- Fixes false positive in gh permission hook when PR bodies contain
markdown code spans like `concurrency`
- Adds `MARKDOWN_CODE_SPAN_PATTERN` to neutralize backtick pairs with
identifier-like content before checking for shell injection
- Security preserved: actual command substitution patterns with
spaces/special chars still blocked

## Test plan
- [x] Tested commands with markdown code spans now pass
- [x] Tested commands with actual command substitution patterns are
still blocked
- [x] Tested command chaining attempts are still blocked

#skip-bugbot

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated description by cubic. -->
---
## Summary by cubic
Allows safe markdown code spans inside double-quoted PR/issue bodies by
neutralizing backtick-wrapped identifiers; command substitution and
unsafe chaining remain blocked.

- **Bug Fixes**
- Neutralize identifier-like code spans only inside double quotes using
MARKDOWN_CODE_SPAN_PATTERN; requires a dot, hyphen, or underscore and
excludes plain words; still blocks backticks with spaces, args, or
pipes.

<sup>Written for commit 9d81ffe0bf0c58dd7862ffc16b49318698c8fb5d.
Summary will update on new commits.</sup>

<!-- End of auto-generated description by cubic. -->
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>