Canonicalize linked worktree hook trust keys

[abhinav-oai]

Why

Fixes #23996.

Project hooks in linked Git worktrees were being discovered from the root checkout's .codex folder. That preserved a single trust state, but it also meant the active worktree could stop being the source of truth for hook declarations.

That was especially confusing because hooks still execute with the active worktree as their cwd. Hook authors reasonably write commands that resolve paths from the worktree, such as scripts under $(git rev-parse --show-toplevel)/.codex/...; loading the declaration from the root checkout while executing in the linked worktree made those paths disagree.

The goal here is to keep the useful trust property without making hook authors target a separate config directory or giving every worktree its own growing trust entry.

What

• Stop replacing linked-worktree project hook declarations with root-checkout hook declarations during config loading.
• Add a separate hook trust-key config folder so discovery can load declarations from the active worktree while canonicalizing the hook key to the matching root-checkout .codex folder.
• Keep the reported hook source_path pointed at the active worktree, while using the canonical path only for key generation.