[OpenAI Codex] [ T3 Code ] Fix SSH askpass hardening

[justusaugust]

/claim #822

Summary:

• Harden POSIX SSH askpass script execution with shell-safe path validation.
• Create temporary secret files under umask 077 via mktemp, then clean them up on normal exit, INT, and TERM.
• Route the Windows PowerShell secret through SecureString/BSTR handling and zero the BSTR afterward.
• Add focused tests for temp-file mode 0600, cleanup after success, cleanup after signal interruption, unsafe POSIX path rejection, and Windows SecureString script contents.
• Include safe contributor metadata without exposing private runtime instructions.

Verification:

• bun run --filter @t3tools/ssh test (25 passed)
• bun run --filter @t3tools/ssh typecheck
• bun x oxfmt --check packages/ssh/src/auth.ts packages/ssh/src/auth.test.ts packages/ssh/src/errors.ts packages/ssh/contributor_meta.json
• git diff --check -- t3code/packages/ssh/src/auth.ts t3code/packages/ssh/src/auth.test.ts t3code/packages/ssh/src/errors.ts t3code/packages/ssh/contributor_meta.json

Notes:

• The contributor metadata intentionally uses safe public task context instead of copying hidden system/developer/session instructions.
• I avoided logging or printing the secret anywhere outside the askpass stdout contract required by SSH.

Demo Video

• Short demo video for this PR

[github-actions]

Unfortunately the changes in this PR didn't fully resolve the issue. Please rework your solution and submit a new pull request.

Make sure to review the acceptance criteria in the linked issue and verify all conditions are met before resubmitting. See CONTRIBUTING.md for guidelines.