feat(security): harden simple-git against malicious repo config RCE

[gregpriday]

Summary

• Introduces createHardenedGit() utility that wraps simpleGit() with config overrides to neutralize dangerous git config options (core.fsmonitor, core.pager, protocol.ext.allow)
• Strengthens validateCwd() to reject relative paths, enforcing path.isAbsolute() across all git IPC handlers
• Applies the same hardening to GitHub IPC handlers that accept cwd from the renderer

Resolves #3704

Changes

• electron/utils/hardenedGit.ts — New module exporting createHardenedGit(cwd) and HARDENED_GIT_CONFIG constant. Disables core.fsmonitor, core.pager, and protocol.ext.allow via -c flags on every git invocation
• electron/utils/git.ts — validateCwd() now requires absolute paths via path.isAbsolute()
• electron/ipc/handlers/git-write.ts — All simpleGit(cwd) calls replaced with createHardenedGit(cwd); validateCwd imported from shared utility
• electron/ipc/handlers/github.ts — Added path.isAbsolute() validation and createHardenedGit() for all git operations
• electron/ipc/handlers/projectCrud.ts — Switched to createHardenedGit()
• electron/ipc/handlers/worktree.ts — Switched to createHardenedGit()
• electron/services/GitService.ts — Switched to createHardenedGit()
• electron/utils/__tests__/hardenedGit.test.ts — 136-line test suite covering config overrides, absolute path enforcement, empty/whitespace rejection
• electron/utils/__tests__/git.test.ts — Updated validateCwd tests for absolute path requirement
• electron/services/__tests__/GitService.test.ts — Updated mocks to use hardenedGit

Testing

• All new and updated unit tests pass
• TypeScript typecheck passes cleanly
• ESLint and Prettier report no issues

[gregpriday]

Review status: Rebased and ready

[gregpriday]

Cross-PR review note

After reviewing all 12 open PRs in this batch together, these interactions were identified:

• PRs feat(security): harden simple-git against malicious repo config RCE #3742 and feat(network): add fetch timeouts to GitHub API and Git operations #3747: Both replace simpleGit() calls across the codebase with different wrapper functions (createHardenedGit vs createGit). Both modify git-write.ts, projectCrud.ts, GitService.ts, git.ts.
  Recommended sequence: Merge feat(security): harden simple-git against malicious repo config RCE #3742 first, then rebase feat(network): add fetch timeouts to GitHub API and Git operations #3747 and consolidate into createHardenedGit with timeout added.

• PRs feat(pty): kill entire process tree on terminal close and app quit #3741 and fix(pty): kill orphaned PTY when TerminalProcess constructor throws #3745: Both modify TerminalProcess.ts and TerminalProcess.kill.test.ts. feat(pty): kill entire process tree on terminal close and app quit #3741 changes kill/dispose methods; fix(pty): kill orphaned PTY when TerminalProcess constructor throws #3745 changes the constructor signature.
  Recommended sequence: Merge feat(pty): kill entire process tree on terminal close and app quit #3741 first, then rebase fix(pty): kill orphaned PTY when TerminalProcess constructor throws #3745 to adapt test helpers to the new constructor signature.

[gregpriday]

Setting diff.external= (empty string) made git interpret it as "run an empty program as the diff tool." Fixed in #4221 by removing the broken override and using --no-ext-diff flags instead.

Regression audit for training data.