Audit cleanGitRepoEnv handling of Git config selector environment

[wesm]

Problem

cleanGitRepoEnv was added to isolate Git ref resolution from repo-scoped environment leakage such as GIT_DIR, GIT_WORK_TREE, alternate object/index paths, namespace, prefix, quarantine state, and inline GIT_CONFIG_COUNT config injected by surrounding processes.

A review on the subagent/panel branch raised a plausible edge case: the current sanitizer also removes GIT_CONFIG_GLOBAL and GIT_CONFIG_SYSTEM. CI or containerized environments may intentionally set those variables for controlled Git configuration, for example safe.directory or system/global config isolation.

Why this needs a focused follow-up

This code is delicate because it sits between daemon/CI/test execution and Git process environment inheritance. The original isolation was intentional and should not be weakened casually. The right fix is to audit which environment variables are repository-scoped versus configuration-selector variables, then add focused tests for both cases.

Suggested investigation

• Confirm which variables must be stripped to prevent stale repository context from affecting ResolveSHA.
• Decide whether GIT_CONFIG_GLOBAL and GIT_CONFIG_SYSTEM should be preserved, stripped, or handled only under specific test/CI conditions.
• Add regression tests covering:
  • stale GIT_DIR / GIT_WORK_TREE cannot redirect ref resolution;
  • config selector variables do not break intended controlled Git config, if preserved;
  • inline GIT_CONFIG_COUNT config remains stripped if it can override command behavior unexpectedly.

Context

The speculative branch-local fix was reverted from feat/proper-subagent-reviews; this should be addressed in a separate PR.

[wesm]

Update from feat/proper-subagent-reviews: the ResolveSHA environment scrubbing introduced by 5d2af98e has been removed from the panel/subagent PR.

That change was too broad for this branch. ResolveSHA is a shared Git primitive, and changing its inherited Git environment needs a focused design/test pass rather than being bundled with CI panel work. The independent Windows test executable-name fixes from that commit can remain, but the production cleanGitRepoEnv / cmd.Env = ... behavior should be evaluated separately here.

For the follow-up, the key question is still the boundary between repo-scoped Git environment leakage and intentionally supplied Git config selectors. Any proposed change should include targeted tests for both sides before touching ResolveSHA again.

[wesm]

Final treatment on the panel branch: ResolveSHA no longer has any local env-scrubbing helper or cmd.Env override.

The branch-specific issue was that the new panel target-freezing path used internal/git.ResolveSHA directly, while the pre-panel enqueue path on main resolves refs through go.kenn.io/kit/git/repo.Resolve. I changed the panel path to use that existing kit resolver instead of adding bespoke environment cleaning to ResolveSHA.

This issue should still track whether any broader ResolveSHA behavior needs a deliberate follow-up, but the subagent/panel PR should not contain that broad change.