feat: automatic git auth and signing for sprout agents

[tlongwell-block]

Summary

Integrate git-credential-nostr and git-sign-nostr into sprout-dev-mcp as multicall personalities. Agents using sprout-dev-mcp get automatic NIP-98 git auth and NIP-GS commit signing when NOSTR_PRIVATE_KEY is set — zero persistent config mutation.

How it works

sprout-dev-mcp (single binary, sync main)

argv[0] dispatch (before tokio, before tracing):
  rg / tree / git-credential-nostr / git-sign-nostr

async (tokio runtime built here):
  sprout (CLI) / default (MCP server)

Shim dir (0700 tempdir, prepended to PATH):
  symlinks → self for all personalities
  .nostr-key (0600, OpenOptions::mode at creation) — private key

At startup, the dev-mcp:

1. Reads NOSTR_PRIVATE_KEY, then remove_var() unconditionally
2. Writes key to 0600 file (created with create_new + mode(0o600))
3. Derives the public key for user.signingkey
4. Zeroizes the in-memory key string
5. Builds ephemeral GIT_CONFIG_* env vars for shell children

Shell children get automatic nostr credential auth + commit signing. The credential helper is additive — it silently declines non-Sprout remotes (no Nostr WWW-Authenticate challenge = exit 0, no credential), so git falls through to system helpers for GitHub/GitLab/etc.

What agents can do

• git push to Sprout relays — automatic NIP-98 auth
• git commit — automatic NIP-GS signing
• git clone git@github.com:... — SSH works (SSH_AUTH_SOCK passed through)
• git push to GitHub/GitLab — system credential helpers still work
• sprout channels list — relay CLI works (SPROUT_PRIVATE_KEY inherited)

Security model

• NOSTR_PRIVATE_KEY removed from process env after keyfile write
• Keyfile is 0600 inside 0700 tempdir, cleaned up on drop
• Shell children cannot read the key from env
• Git helpers read from keyfile via nostr.keyfile git config
• SPROUT_PRIVATE_KEY intentionally inherited (sprout CLI needs it)

Changes

• git-credential-nostr: extract lib.rs with pub fn run() -> i32, remove unused anyhow dep
• git-sign-nostr: extract lib.rs with pub fn run() -> i32
• sprout-dev-mcp: multicall dispatch (sync, before tokio/tracing), shim symlinks, keyfile, ephemeral git config, secret scoping
• sprout-agent: widen PASSTHROUGH_ENV (SSH_AUTH_SOCK, GIT_ASKPASS, GIT_SSH_COMMAND, SPROUT_PRIVATE_KEY, SPROUT_RELAY_URL)
• scripts/build-agent-release.sh: tar packaging with cross-compile support

Standalone binaries for both git helpers continue to work unchanged (lib + bin pattern).

Release artifact

./scripts/build-agent-release.sh 0.1.0
# → dist/sprout-agent-v0.1.0-aarch64-apple-darwin.tar.gz (9.7 MB)
#   Contains: sprout-agent (8.8 MB) + sprout-dev-mcp (14 MB)

Testing

• 144 tests pass across all affected packages
• Existing integration tests for git-credential-nostr and git-sign-nostr pass
• Pre-existing flaky test cancel_kills_inflight_tool_via_mcp_notification unrelated