Fix thread GitHub PR identity isolation

[zzj3720]

Summary

• keep shared runtime HOME while isolating broker session GH_CONFIG_DIR beside each auth-profile codex-home
• reset GitHub git credential helpers in the app-server env so credential lookups go through broker gh auth git-credential
• forward stdin through the broker gh wrapper and request workflow scope for new GitHub PR identity bindings
• add the approved plan and regression coverage for app-server env, gh wrapper token/env handling, stdin forwarding, and OAuth scopes

Validation

• pnpm exec tsc -p tsconfig.json --noEmit
• pnpm exec vitest run test/config.test.ts test/github-pr-identity-service.test.ts test/gh-wrapper.test.ts test/app-server-process.test.ts
• pnpm build
• pnpm test (59 files / 382 tests passed)
• Manual: with isolated GH_CONFIG_DIR, new wrapper source resolves this Slack session to pengx17; direct real gh sees no login; git credential fill through the fixed helper returns x-access-token with the password redacted locally.

Notes

Peng's current OAuth binding lacks workflow, and Peng is not a collaborator on HOOLC/slack-codex-broker, so GitHub rejected both pushing to Peng's stale fork and creating a PR from the upstream branch with Peng's token. This PR includes the scope fix for new/rebound identities, but I opened this draft with maintainer credentials so the fix is not blocked.