Fix force-with-lease safety bypass caused by pre-push fetch

[brdv]

Summary

Prevent stck push from silently overwriting remote commits when --force-with-lease is neutralized by a prior git fetch origin.

run_push calls gitops::fetch_origin() before gitops::push_force_with_lease(), which updates remote tracking refs to match the actual remote. Since --force-with-lease (without an explicit expected SHA) checks against those tracking refs, the safety check always passes after a fresh fetch — even when the remote has commits the local branch doesn't contain. This adds a pre-push ancestor check using the existing gitops::is_ancestor() helper: before each force push, verify that origin/<branch> is an ancestor of the local <branch>. If not, abort with a clear error telling the user to integrate remote changes first.

Changelist

• src/commands.rs — Add ancestry guard in the run_push loop before each push_force_with_lease call
• tests/push.rs — Add push_aborts_when_remote_has_commits_not_in_local_branch integration test
• tests/harness/mod.rs — Add STCK_TEST_NOT_ANCESTOR_PAIRS env var support and self-identity ancestor rule to git stub

Checklist

• Changes are minimal and focused for this milestone
• No breaking CLI changes unless explicitly intended
• Errors are user-facing, actionable, and prefixed with error:
• Added/updated tests for behavior changes