Raw git hook stderr embedded in CommitRejectedError posted as public GitHub comment

[ooloth]

Current state

loops/common/git.py (lines 87–88) captures the raw stderr output from a failing git pre-commit hook and embeds it verbatim in CommitRejectedError. This error propagates to the loop that posts a GitHub comment on the issue the agent is working. Git hook stderr regularly contains internal file paths, lint rule names with file-relative paths, tool version strings, CI runner paths (e.g., /home/runner/work/...), or partial file content — implementation details that are now publicly visible to anyone who can read the issue.

Ideal state

• CommitRejectedError contains only a sanitized summary (e.g., "pre-commit hook rejected the commit") and a generic instruction for the agent to inspect the working tree
• Raw hook stderr is written to the agent's local log but is not included in any content posted to GitHub

Out of scope

• Changing what git hooks emit
• Suppressing hook stderr from local logs

Starting points

• loops/common/git.py lines 87–88 — the CommitRejectedError construction and the stderr capture
• The call site that catches CommitRejectedError and posts the message to GitHub

QA plan

1. Trigger a pre-commit hook failure that includes an internal path in its output (e.g., a lint error with an absolute path)
2. Observe the resulting GitHub comment — expect the full hook output appears verbatim today
3. After fix, repeat and confirm the comment contains only a sanitized summary with no internal paths

Done when

GitHub comments posted for commit rejections do not include raw hook stderr output.